Lists Home |
Date Index |
Rich Salz wrote:
>>If one uses XML for serializing objects and nothing else, then things
>>get easier. But developing real systems would get easier if there was a
>>way of developing them so that validity (well-typedness) is checked
>Sure, as long as (a) everyone is using the same object system, and (b)
>you're not worried about an adversary sending data that will cause your
>object-creation code to create bad/dangerous/evil objects; and (c) you are
>not worried about your objects leaking internal information, or (c') you
>take steps to prevent this, such as by having internal and external/proxy
>That's a pretty powerful set of concerns, I think, and I wouldn't
>particularly call any of them easy.
Just to be clear, I am not in favour of the "xml is just serialized
objects" view. That is basically what is underlying something like C-omega.
Still, I'd say (a) is not so much of a concern, because partners might
use some agreed on XSD with different object systems (or not objects at
If Relax NG provided something like substitution groups or type
extension, then the "xml is objects" people could use Relax NG schemata,
but then Relax NG would have some of the problems XSD has (see my
>If you treat XML as the data, and not as an objevct serialization format,
>then (a) you get to use the new cool SOA buzzword; and (b) you tend to
>build safer systems.
Yes. There's still adversaries that want to buffer-overflow parsers, but
at least there is no need to deal with the object-markup mismatch. But
my feeling is that people will use the buzzword for everything, and
there will be a stronger drift towards data binding.
Also for treating XML as pure data, one would appreciate more support by
The primary problem with objects and schemata is that objects do not
have ordered successors that can be specified by regular expressions.
Maybe by making objects a bit more like markup, that mismatch is diminished?