OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

 


 

   Re: [xml-dev] Malicious documents? (WAS: Interesting mailing list & a ra

[ Lists Home | Date Index | Thread Index ]

David Megginson had a nice piece to this effect a few years ago:
http://www.megginson.com/ugly/index.html

"When XML Turns Ugly"

This was pre-schema, and still largely client-oriented, but has a lot of 
interesting pieces on the dangers of XML processing.

At 11:24 AM 6/8/2002 +0100, Miles Sabin wrote:
>Yes it is, but it's now pretty widely understood that HTML (with or
>without embedded scripts or objects) can be dangerous on the client.
>
>I don't think there's the same understanding of vulnerabilities on the
>server side: if you POST and HTML document to a server you wouldn't
>normally expect it to attempt to retrieve images or execute embedded
>scripts or objects. OTOH, with an XML POST to a validating XML
>processor, retrieval of referenced external enities is precisely what's
>going to happen in many cases.

Simon St.Laurent
"Every day in every way I'm getting better and better." - Emile Coue





 

News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS