OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help



   Re: [xml-dev] Extra headaches of securing XML

[ Lists Home | Date Index | Thread Index ]

On Tue, 30 Mar 2004, Rich Salz wrote:

> > and I'd bet a zillion bucks that there are awful vulnerabilities lurking 
> > in the cracks where nobody could possibly have thought to look.  -Tim
> There are some that are inherent in XML itself: entities for example, 
> and the fact that there are no size limits (element name with 1e6 
> characters, or 1e6 attributes, or a document 1e6 elements deep). This 
> makes XML inherently more "dangerous" than classic binary formats like 
> ASN.1/DER.

Maybe SGML would be more secure? Hard limits on element name sizes and
attribute counts could be enforced in the SGML declaration.

// Gregory Murphy.  Isopaleocopria.


News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS