[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: schemaLocation & Parser support?
- From: "David E. Cleary" <firstname.lastname@example.org>
- To: Prashanth Rao <email@example.com>, firstname.lastname@example.org
- Date: Tue, 14 Aug 2001 16:30:09 -0400
> The last sentence of the above paragraph indicates to me that
> xsi:schemaLocation is an optional feature that parsers can choose to
> implement or not.
Correct. Although I do not know of any parser supporting XML Schema not
> This seems to go against the grain of the design
> philosophy of XML: "The number of optional features in XML is to
> be kept to
> the absolute minimum, ideally zero." I know that they are two separate
> specifications, but by relegating xsi:schemaLocation to be an optional
> feature, the specification breeds parser inconsistency, which
> surely can not
> be a good thing.
If you have a server application that processes XML documents, are you
really going to trust the author of the document to provide you the schema
you validate that instance against? For instance, you accept purchase orders
that conform to a vocabulary sprcified by OAG or CommerceOne or what have
you. Your application can handle any XML document that validates against
these schemas. If schemaLocation were not optional, Joe Hacker could send
you an instance that claims to be from one of these vocabularies and tells
you you can get the schema off of some web site in the former Soviet Union.
This schema could be anything and the instance will be valid against it, but
bad things happen to your application. What is the purpose of validating
against a schema if you have no control over where that schema came from?
All the XML Schema compliant parsers I am aware of will use schemaLocation
unless you (the application) override it. This is how it should be. In my
XML world, xsi:schemaLocation is a security risk and I will not use a parser
that doesn't allow me to disable it.
Section 2.4 Schema Structures defines 3 conformance levels for schema
processors. A fully conforming processor must use schemaLocation unless
directed otherwise. Otherwise it can't be called fully conforming.