OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help



   Re: [xml-dev] Internal entities removed from XML?

[ Lists Home | Date Index | Thread Index ]

On Thu, 19 Dec 2002 17:56:00 +0000, Bill de hÓra <bill.dehora@propylon.com> 

> I'm not asking for the feature to be removed, just make the default 
> setting compliant with XML. If you don't want entities expanded, turn 
> them off. Having to turn them on frankly breaks with the spirit of 
> things.

Upon reflection, I guess I am very ambivalent, but tending toward being 
convinced by the arguments here. The only compelling reasons for defaulting 
to "no entities" that I can think of are a) the statistical likelihood that 
external entities will cause problems; and b) the billion laughs DOS 
attack.   I have no idea if the latter was part of MS's design decision, 
but http://online.securityfocus.com/archive/1/303509/2002-12-13/2002-12- 
19/0 does suggest "If possible, disable DTD in the XML parser. This 
requires raw access to the XML parser API, which is usually impossible for 
Web Services applications."  (Of course, a SOAP message shouldn't have a 
DTD in the first place, but, ahem, "be liberal in what you consume" ...).

 Still, on balance, the argument that "System.XML should play by the XML 
rules rather than the SOAP rules, define a System.SOAP if you want to 
expose the SOAP rules" is pretty persuasive.  But I guess I don't think of 
this as a black/white compliant/non-compliant issue, but just another one 
of the shades-of-grey things we have to deal with.  I'm frankly glad I 
don't have to make the decision!   Damned if you appear to be non- 
compliant, double-damned if your customers get hit with some (accidental or 
deliberate) performance hit from a recursive entity expansion scenario. 


News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS