OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help



   re: [xml-dev] SAX characters event and external entities

[ Lists Home | Date Index | Thread Index ]

At 7:36 PM -0500 3/4/03, David Megginson wrote:
>K. Ari Krupnikov writes:
>  > How much of a "violation" would it be to have a caching XMLFilter that
>  > would report all contiguous character data in a single event,
>  > including across entity boundaries?

>If you did this, though, I'd suggest still putting in a hard-coded
>limit.  In fact, as XML gets used in more security-sensitive
>environments, we may need to consider putting (very high) limits on
>everything to avoid various attacks.

The theoretical maximum size of a Java array is 2.1 billion items 
(2^31 to be precise). Thus even with oodles of memory it's not always 
possible to  stuff everything into a single call, especially if you 
think there might be things like Base-64 encoded movies hiding in the 
XML document somewhere.

| Elliotte Rusty Harold | elharo@metalab.unc.edu | Writer/Programmer |
|           Processing XML with Java (Addison-Wesley, 2002)          |
|              http://www.cafeconleche.org/books/xmljava             |
| http://www.amazon.com/exec/obidos/ISBN%3D0201771861/cafeaulaitA  |
|  Read Cafe au Lait for Java News:  http://www.cafeaulait.org/      |
|  Read Cafe con Leche for XML News: http://www.cafeconleche.org/    |


News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS