OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help



   Re: [xml-dev] Malicious documents? (WAS: Interesting mailing list & a r

[ Lists Home | Date Index | Thread Index ]

Rob Lugt wrote,
> Ronald Bourret wrote
> > Worse yet, this isn't limited to validation. A parser is free to
> > read an external DTD (to get attribute defaults and entity values)
> > even when it isn't validating. I haven't looked at any of the
> > parsers I've used closely enough, but it would surprise me if any
> > had a way to turn this completely off.
> Hi Ron, prepare to be pleasantly surprised.  There is a standard
> feature in SAX called 
> "http://xml.org/sax/features/external-parameter-entities";, which
> prevents the parser from reading any external entities - including
> the external DTD subset.

And the default is?

> Not all SAX parsers support this feature, but many do (ours included).

Which means that even if developers are aware that they ought to disable 
external entity retrieval, and are aware of how to do it, they have no 
guarantee that it'll actually happen.




News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS