OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help



   Re: [xml-dev] SAX characters event and external entities

[ Lists Home | Date Index | Thread Index ]

K. Ari Krupnikov writes:

 > Would you report it as a (perhaps recoverable) error? Braking
 > character data into multiple events would defy the purpose of this
 > filter (to relieve content handlers from the need to do that
 > themselves) and do nothing to solve the security issue.

Here's an easy attack -- send you a start tag, then just keep sending
random alphanumeric characters until your system chokes.  An arbitrary
limit -- even a very high one, like a few gigabytes -- would be useful.

 > > On the other hand, high fixed limits, like (say) 16K characters for
 > > element and attribute names, might help us avoid some problems in
 > > the future.
 > This sounds like a reasonable proposition to me. But would you also
 > impose a limit on character data? Entities? In the gigabytes
 > perhaps?

No, I don't think that would be necessary.  It all depends on the
APIs, of course, but I've never seen one that splits a name into
multiple chunks before passing it on to the application, hence the

All the best,


David Megginson, david@megginson.com, http://www.megginson.com/


News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS