[
Lists Home |
Date Index |
Thread Index
]
As I sit here reading articles on digital rights management,
I find parallels between the 'soft' and 'hard' approaches to
DRM and 'soft' and 'hard' approaches to accepting formed and
valid content.
It possibly means nothing, but it seems to point to a policy
based management systems as approaches to both.
len
-----Original Message-----
From: Elliotte Rusty Harold [mailto:elharo@metalab.unc.edu]
Absolutely. In an XML context, a parser does not assume that the
document is well-formed. It checks everything it can possibly check,
and accepts as input any stream of characters, including characters
that are illegal in XML. Most parsers also operate on streams of
bytes and accept absolutely any bytes. The strict nature of XML, and
the attention paid to well-formedness, means that it's relatively
hard to slip in damaging data by violating the assumptions about the
input.
It's certainly possible to send data that the parser vendor did not
anticipate. However, if that data does not match the XML grammar, the
parser will reject it. The very nature of an XML parser is to prove
(almost if not quite mathematically) that a certain sequence of
characters satisfies the grammar. While parsers of other formats are
often implemented by assuming the data is good, XML parsers do not
assume this unless they can prove it. Many parsers for other formats
(as well many fast pseudo-XML parsers that have not been widely
adopted in practice) assume that the data looks like they expect, and
try to read it without actually checking it first. This is one way
security holes arise.
Of course XML parsers, can and do have bugs. However, when they do,
it's very easy to point at the spec and tell the vendor, "Your parser
is buggy. Fix it." When it comes to basic well-formedness checking
the major parsers today have very few if any bugs. The only ones I
can think of off the top of my head all involve parsers being too
strict and rejecting data they should accept, rather than the other
way around.
|
