[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
RE: [xml-dev] Here's how to process XML documents written in German
- From: "Costello, Roger L." <costello@mitre.org>
- To: "xml-dev@lists.xml.org" <xml-dev@lists.xml.org>
- Date: Thu, 31 Jan 2013 10:41:58 +0000
Michael Kay wrote:
Tony prefaced his advice with
"if you can't trust...". You (Roger)
left that bit out.
Perhaps you did this on the basis
that you should never trust anything.
But if you don't trust anything, why
are you processing the XML at all?
That is a fascinating and puzzling set of statements Michael.
Yes, I never trust any external input. (That is, I design my applications and web services such that external input is not trusted.) I rigorously scrutinize external input prior to allowing it into my application or web service:
I validate the input against a tightly constrained
XML Schema and Schematron schema.
This helps to ensure that the data ingested by my applications and web services receive is the data they expect to ingest.
Based on the recent discussions I am thinking that it may be wise to also add normalization to the external input scrutinizer.
Why would an application or web service be designed to trust external input? Perhaps there are circumstances where external input can be trusted, but surely they are extremely rare?
> if you don't trust anything, why
> are you processing the XML at all?
I don't understand your question Michael. Why is the format of external input relevant to the trust issue? I don't trust any external input, whether it is formatted as JSON or CSV or XML or any other format.
This is a really interesting topic. How do other people deal with external input? Do you trust it and allow it immediately into your application or web service? Or do you rigorously scrutinize it and only after passing rigorous scrutiny you allow it into your application or web service?
/Roger
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
