[
Lists Home |
Date Index |
Thread Index
]
Rick Jelliffe wrote,
> > Sure, but isn't that tantamount to agreeing with,
> >
> > Suggested fix:
> > Most XML parsers allow their user to explicitly specify external
> > entity handler. In case of untrusted XML input it is best to
> > prohibit all external general entities.
> >
> > because your ACL will effectively be whitelisting your *trusted*
> > sources.
>
> ??? "It is best to prohibit" is not the same thing as "allow access
> control lists".
Read it carefully: "In case of *untrusted* XML input it is best ...".
The qualifier is important.
To all intents and purposes a list which specifies trusted sources is an
ACL.
Cheers,
Miles
|