OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]
Re: [xml-dev] Wikipedia on XML

On Mon, Aug 24, 2009 at 11:09:37AM -0400, Amelia A Lewis wrote:
> On Mon, 24 Aug 2009 11:07:34 +0200, Michael Ludwig wrote:
> > Precisely why the internal DTD subset should be such a problem,
> > I don't understand.
> Google "billion laughs".

Google "poorly-trained programmers who write bad code" :)

JavaScript has as many vulnerabilities as XML in this regard
(and watch for all those books and articles saying you
load JSON in a browser using "eval")

There _is_ an issue with an external DTD subset that I think
is a real one, although perhaps not as major as some say -
browser writers want to avoid having to download a file that
can change the structure of the document, as then either the
browser must wait before rendering anything, or the document
may need to be rendered again from scratch.  E.g. a dtd that
puts the root element in a different namespace using a fixed


Liam Quin, W3C XML Activity Lead, http://www.w3.org/People/Quin/
http://www.holoweb.net/~liam/ * http://www.fromoldbooks.org/

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]

News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 1993-2007 XML.org. This site is hosted by OASIS