OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]
Principle #1 in validating XML documents

Hi Folks,

Suppose you deploy a web service and it operates like this:

1. Receive inbound XML.

2. Validate XML.

3. Application processes XML.

Suppose the application performs several conversions on the XML before processing it:

a. Unicode normalization: converts the XML to Unicode Normalization Form C (NFC). This is the standard form for data exchanges on the web.

b. Noncharacter code points: deletes all noncharacter code points from the XML. See [1] for a description of noncharacter code points.

c. Other conversions ...

Here is principle #1 in validating XML documents:

	Validate AFTER conversions.

Normalize the XML and delete noncharacter code points (and any other conversions), and then validate.

Why? Because attacks that are resident in the XML are exposed after conversions. Validating before doing the conversions may not reveal the attacks. (See [2] for a description of various attacks.)

Revise the web service:

1. Receive inbound XML.

2. Perform all conversions on the XML.

2. Validate the converted XML.

3. Application processes the converted XML.



[1] http://www.unicode.org/reports/tr36/#Deletion_of_Noncharacters

[2] http://www.unicode.org/reports/tr36/ 

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]

News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 1993-2007 XML.org. This site is hosted by OASIS