Lists Home |
Date Index |
Rob Lugt wrote,
> Miles Sabin wrote
> > Which means that even if developers are aware that they ought to
> > disable external entity retrieval, and are aware of how to do it,
> > they have no guarantee that it'll actually happen.
> Sure they do. If the SAX parser they are using doesn't support the
> feature, then they'll get an UnsupportedFeatureException when they
> try to set it.
But then we have a slightly different problem. Developers who try to do
the right thing will be hit by interoperability issues. Either that or
they have to specify a particular (set of) SAX implementation(s) which
somewhat undermines SAX as a common API.
On reflection, I think that SAX should be tweaked to at least require
support for this feature, and maybe mandate that the default be to not
retrieve external entities.