OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

 

 
   Re: [xml-dev] Malicious documents? (WAS: Interesting mailing list & a r

[ Lists Home | Date Index | Thread Index ] 
Miles Sabin wrote
> >
> > Hi Ron, prepare to be pleasantly surprised.  There is a standard
> > feature in SAX called
> > "http://xml.org/sax/features/external-parameter-entities";, which
> > prevents the parser from reading any external entities - including
> > the external DTD subset.
>
> And the default is?

According to the SAX specification [1] the default is unspecified.  But if
validation is enabled, then is must be set to "true".

>
> > Not all SAX parsers support this feature, but many do (ours included).
>
> Which means that even if developers are aware that they ought to disable
> external entity retrieval, and are aware of how to do it, they have no
> guarantee that it'll actually happen.

Sure they do.  If the SAX parser they are using doesn't support the feature,
then they'll get an UnsupportedFeatureException when they try to set it.

Regards
~Rob

[1]
http://www.saxproject.org/apidoc/org/xml/sax/package-summary.html#package_de
scription

 

News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS