Lists Home |
Date Index |
Rick Jelliffe wrote,
> > Sure, but isn't that tantamount to agreeing with,
> > Suggested fix:
> > Most XML parsers allow their user to explicitly specify external
> > entity handler. In case of untrusted XML input it is best to
> > prohibit all external general entities.
> > because your ACL will effectively be whitelisting your *trusted*
> > sources.
> ??? "It is best to prohibit" is not the same thing as "allow access
> control lists".
Read it carefully: "In case of *untrusted* XML input it is best ...".
The qualifier is important.
To all intents and purposes a list which specifies trusted sources is an