[
Lists Home |
Date Index |
Thread Index
]
David Megginson had a nice piece to this effect a few years ago:
http://www.megginson.com/ugly/index.html
"When XML Turns Ugly"
This was pre-schema, and still largely client-oriented, but has a lot of
interesting pieces on the dangers of XML processing.
At 11:24 AM 6/8/2002 +0100, Miles Sabin wrote:
>Yes it is, but it's now pretty widely understood that HTML (with or
>without embedded scripts or objects) can be dangerous on the client.
>
>I don't think there's the same understanding of vulnerabilities on the
>server side: if you POST and HTML document to a server you wouldn't
>normally expect it to attempt to retrieve images or execute embedded
>scripts or objects. OTOH, with an XML POST to a validating XML
>processor, retrieval of referenced external enities is precisely what's
>going to happen in many cases.
Simon St.Laurent
"Every day in every way I'm getting better and better." - Emile Coue
|