RE: [xml-dev] The <any/> element: bane of security or savior of versioni

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]

RE: [xml-dev] The <any/> element: bane of security or savior of versioning?

From: "Michael Kay" <mike@saxonica.com>
To: "'bryan rasmussen'" <rasmussen.bryan@gmail.com>,"'David Carlisle'" <davidc@nag.co.uk>
Date: Fri, 19 Oct 2007 17:08:07 +0100

> > When Any occurs in xml documents that are ran through process X the 
> > system crashes.

Well, clearly you should either fix the bug in the application or put a
fence around it to protect it from data it can't handle. But the problem is
just as likely to be that it fails on characters above 65535 as that it
fails on unexpected elements. Banning xs:any because some applications have
bugs is like banning high Unicode characters because some applications have
bugs. It's not xs:any that's the security weakness, it's the buggy
application.

Michael Kay
http://www.saxonica.com/

Follow-Ups:
- Re: [xml-dev] The <any/> element: bane of security or savior of versioning?
  - From: "bryan rasmussen" <rasmussen.bryan@gmail.com>
- RE: [xml-dev] The <any/> element: bane of security or savior of versioning?
  - From: noah_mendelsohn@us.ibm.com
- RE: [xml-dev] The <any/> element: bane of security or savior ofversioning?
  - From: Rick Jelliffe <rjelliffe@allette.com.au>

References:
- The <any/> element: bane of security or savior of versioning?
  - From: "Costello, Roger L." <costello@mitre.org>
- Re: [xml-dev] The <any/> element: bane of security or savior of versioning?
  - From: David Carlisle <davidc@nag.co.uk>
- Re: [xml-dev] The <any/> element: bane of security or savior of versioning?
  - From: "bryan rasmussen" <rasmussen.bryan@gmail.com>
- Re: [xml-dev] The <any/> element: bane of security or savior of versioning?
  - From: "bryan rasmussen" <rasmussen.bryan@gmail.com>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]