The XSLT functionality in WebKit in Apple Safari before 4.0 does not
properly implement the document function, which allows remote
attackers to read (1) arbitrary local files and (2) files from
different security zones via unspecified vectors.
Presumably all affected versions are gone from tree. Closing as discussed with keytoaster.