[
Lists Home |
Date Index |
Thread Index
]
Miles Sabin wrote
> >
> > Hi Ron, prepare to be pleasantly surprised. There is a standard
> > feature in SAX called
> > "http://xml.org/sax/features/external-parameter-entities", which
> > prevents the parser from reading any external entities - including
> > the external DTD subset.
>
> And the default is?
According to the SAX specification [1] the default is unspecified. But if
validation is enabled, then is must be set to "true".
>
> > Not all SAX parsers support this feature, but many do (ours included).
>
> Which means that even if developers are aware that they ought to disable
> external entity retrieval, and are aware of how to do it, they have no
> guarantee that it'll actually happen.
Sure they do. If the SAX parser they are using doesn't support the feature,
then they'll get an UnsupportedFeatureException when they try to set it.
Regards
~Rob
[1]
http://www.saxproject.org/apidoc/org/xml/sax/package-summary.html#package_de
scription
|