OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help



   Re: [xml-dev] Malicious documents? (WAS: Interesting mailing list & a r

[ Lists Home | Date Index | Thread Index ]

Ronald Bourret wrote

> Worse yet, this isn't limited to validation. A parser is free to read an
> external DTD (to get attribute defaults and entity values) even when it
> isn't validating. I haven't looked at any of the parsers I've used
> closely enough, but it would surprise me if any had a way to turn this
> completely off.

Hi Ron, prepare to be pleasantly surprised.  There is a standard feature in
SAX called "http://xml.org/sax/features/external-parameter-entities";, which
prevents the parser from reading any external entities - including the
external DTD subset.

Not all SAX parsers support this feature, but many do (ours included).


Rob Lugt
ElCel Technology


News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS