Lists Home |
Date Index |
From: "Miles Sabin" <firstname.lastname@example.org>
> Read it carefully: "In case of *untrusted* XML input it is best ...".
> The qualifier is important.
> To all intents and purposes a list which specifies trusted sources is an
Miles' ACLs say "These document are trusted, so they can access any entities".
It is a list (simplification) of documents that can make references.
My ACLs say "These entities can be accessed by any document".
It is a list (simplification) of documents that can be referred to, enforced
by a parser's entity manager.
Not the same thing at all, though certainly there may be scope for both.
I don't see how Miles' ACLs prevent the attacks suggested. (But I don't
deny that different levels of security are appropriate for different levels