User Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:5.0) Gecko/20100101 Firefox/5.0 Build ID: 20110615151330 Steps to reproduce: I have an XML file on my hard drive. Its stylesheet is "../../gallery.xsl". Firefox 5.0 32-bit (Windows Vista SP4 64-bit) shows only the text in the XML without any tags. IE9 handles the same exact XML/XSL combination correctly. werwolf confirmed the problem. He also uploaded some files and verified that relative paths on a remote server don't have a problem. My XSL reference is as follows: <?xml-stylesheet type="text/xsl" href="../../Gallery.xslt"?> Actual results: Firefox shows only text nodes from the XML. It is like it is trying to treat the XML file as HTML. Expected results: I was expecting HTML output from this XSL file. As noted, IE9 processes the XSL correctly.

You need to put the xslt file in the same directory or a subdirectory of the xml file, it can't be outside for security reasons.

Works in Opera and IE, is it really a bug? I dont thing so

Robert Longson, where is it in the specification? xslt are just style-documment like css is. I mean it should behave the same way. The developer has to set up correctly his server.

See the bug I've duplicated this to for details.

> xslt are just style-documment like css is. Not quite, actually. There are some subtle but important differences from a security perspective.

Boris could you point me please to the part of spec. where it is spoken about it? I have to fill the bug for Opera. Thanks

There is no spec covering XSLT security issues. Like many other old W3C specs it was written without any security considerations in mind, which means that just implementing the spec leaves security holes open...