Lists Home |
Date Index |
> At 9:08 AM -0500 2/21/03, Karl Waclawek wrote:
> >There is one reason that is valid, IMO, and that is to prevent
> >"a million laughs" attacks.
> This is not a decision that should be made at the parser level
> though. Parsers do need to process documents that contain document
> type declarations. No one should ship a parser that simply gives up
> when it encounters a document type declaration.
I agree. It would be nice, however, if SAX for instance allowed
an application to stop parsing (based on an event) without
having to throw an exception.
> An application such as SOAP may decide it doesn't want to accept
> document type declarations, and reject documents that contain them,
> perhaps to avoid the billion laughs attack, perhaps for other
> reasons. I still think that's a bad idea, but it's not nearly as bad
> an idea as what's happening in JSR 172. This is turning up the
> subsetting a notch. Now the parser is making the decision to reject
> documents that contain document type declarations rather than the
> application using the parser. SOAP's mistake only affects SOAP. This
> affects everybody using that parser for any application.
> In brief, the SOAP subset is now infecting the rest of XML. This
> needs to be stopped.
Well, I am no friend of XML RPC anyway, so you have my vote there.