Lists Home |
Date Index |
Miles Sabin wrote
> > Hi Ron, prepare to be pleasantly surprised. There is a standard
> > feature in SAX called
> > "http://xml.org/sax/features/external-parameter-entities", which
> > prevents the parser from reading any external entities - including
> > the external DTD subset.
> And the default is?
According to the SAX specification  the default is unspecified. But if
validation is enabled, then is must be set to "true".
> > Not all SAX parsers support this feature, but many do (ours included).
> Which means that even if developers are aware that they ought to disable
> external entity retrieval, and are aware of how to do it, they have no
> guarantee that it'll actually happen.
Sure they do. If the SAX parser they are using doesn't support the feature,
then they'll get an UnsupportedFeatureException when they try to set it.