OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

 

 
   Why validate? What kind of validation?

[ Lists Home | Date Index | Thread Index ] 
For people interested the security/robustness aspects of validation, 
here are two relevant articles

 http://www.kuro5hin.org/?op=displaystory;sid=2002/6/13/114234/914

http://www.acm.org/technews/articles/2002-4/0614f.html#item6

Does anyone know of any list of the most likely/damaging
security problems for XML, and what kinds of validation
would be appropriate to minimise risks?

Also, if a schema language were to specify fallback 
values which would be used when a value was not
valid, would that promote robustness/security
and lessen the need for non-XML properties
(in particular the property related to signalling
validity) in a PSVI? 

For example, if a datatyping spec said (in no particular
schema language)
 <element name="x">
    <datatype name="value"  min="1" fallback="#CRAP" />
  </element>
the schema processing an instance would replace
  <x>0</x>
or
  <x>00000000000000000....times 800 to cause buffer problems</x>
with
  <x>#CRAP</x>

Cheers
Rick Jelliffe

 

News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS