OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

 


 

   Re: [xml-dev] Malicious documents? (WAS: Interesting mailing list & a r

[ Lists Home | Date Index | Thread Index ]

Rob Lugt wrote,
> Miles Sabin wrote
> > Which means that even if developers are aware that they ought to
> > disable external entity retrieval, and are aware of how to do it,
> > they have no guarantee that it'll actually happen.
>
> Sure they do.  If the SAX parser they are using doesn't support the
> feature, then they'll get an UnsupportedFeatureException when they
> try to set it.

But then we have a slightly different problem. Developers who try to do 
the right thing will be hit by interoperability issues. Either that or 
they have to specify a particular (set of) SAX implementation(s) which 
somewhat undermines SAX as a common API.

On reflection, I think that SAX should be tweaked to at least require 
support for this feature, and maybe mandate that the default be to not 
retrieve external entities.

Cheers,


Miles




 

News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS