Allow templates to be loaded from http and https urls

[kohsah]

See Issue #23 for more detailed commentary on the reason for the change and PR.

[dizzzz]

Are there any security implications ? Should this made optional for specific cases? @wolfgangmm @adamretter

[kohsah]

@dizzzz There is indeed a problem here in terms of security implications. I was testing something in my instance and came across it. The bug seems to be there prior to my PR (which actually makes the problem even worse).

I realized now that $with and $at are mapped to URL parameters . So I can call http://exist/app/my-page.html?with=http://xss/foriegn.html and it will use foriegn.html as the template for the page.

I temporarily fixed this at my end by changing template.xql to accept only a known http server path as the template source. Prior to my PR also there is a possible security threat .. since i can specify things like : http://exist/app/my-page.html?with=../other-app/something.xml ... or ... http://exist/app/my-page.html?with=../dashboard/configuration.xml which basically shows the file from within another collection on the eXist server ...

I am not sure why $with and $at need to exposed as URL parameters, they are specified in page templates as configuration, and should really be specified only there, not via url parameters.

[joewiz]

@kohsah Yikes, thank you for this report!

[joewiz]

@kohsah Thank you for your contribution!