there is a security bug in the current Slide release. Using the LOCK
methode it is possible to display content from your local file system.
This works by passing over literate XML that contains entities that
refer to your local file system.
AFAIK this can not be prevented by the XML implementation Slide uses (JDOM).
A quick fix would be to disable the LOCK method in the web.xml by
commenting it out or removing it.
I have also committed a patched LockMethod.java that does not return
literate XML at all. This may cause trouble with the owner filed that
some clients require, but it is the best I can do for now.
It is checked in in the Slide 2.1 release branch and in the HEAD
branch. For existing Slide 2.1 installations it would suffice to check
out, compile and replace the LockMethod class. You can do so by
copying it in the the WEB-INF/class folder including all package
If you grant outside access to your Slide WebDAVServer be sure to take
care of this bug.