OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help



   Re: [xml-dev] Malicious documents? (WAS: Interesting mailing list & a r

[ Lists Home | Date Index | Thread Index ]

Miles Sabin wrote
> > > Which means that even if developers are aware that they ought to
> > > disable external entity retrieval, and are aware of how to do it,
> > > they have no guarantee that it'll actually happen.
> >
> > Sure they do.  If the SAX parser they are using doesn't support the
> > feature, then they'll get a [SAXNotRecognizedException] when they
> > try to set it.
> But then we have a slightly different problem. Developers who try to do
> the right thing will be hit by interoperability issues. Either that or
> they have to specify a particular (set of) SAX implementation(s) which
> somewhat undermines SAX as a common API.
> On reflection, I think that SAX should be tweaked to at least require
> support for this feature, and maybe mandate that the default be to not
> retrieve external entities.

It seems reasonable that the feature be mandatory, (so long as you don't
mandate that all SAX parsers accept a value of "true", as some just won't
have the ability to read network resources).  I'm not sure how existing
applications would be affected if the default value was mandated rather than
being unspecified as it is at present.

The process for suggesting this kind of change to SAX involves raising an
RFE on the sourceforge site [1].


[1] http://sourceforge.net/tracker/?group_id=29449


News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS