Re: Malicious documents? (WAS: Interesting mailing list & a r
Miles Sabin wrote > > > Which means that even if developers are aware that they ought to > > > disable external entity retrieval, and are aware of how to do it, > > > they have no guarantee that it'll actually happen. > > > > Sure they do. If the SAX parser they are using doesn't support the > > feature, then they'll get a [SAXNotRecognizedException] when they > > try to set it. > > But then we have a slightly different problem. Developers who try to do > the right thing will be hit by interoperability issues. Either that or > they have to specify a particular (set of) SAX implementation(s) which > somewhat undermines SAX as a common API. > > On reflection, I think that SAX should be tweaked to at least require > support for this feature, and maybe mandate that the default be to not > retrieve external entities. It seems reasonable that the feature be mandatory, (so long as you don't mandate that all SAX parsers accept a value of "true", as some just won't have the ability to read network resources). I'm not sure how existing applications would be affected if the default value was mandated rather than being unspecified as it is at present. The process for suggesting this kind of change to SAX involves raising an RFE on the sourceforge site . Regards ~Rob  http://sourceforge.net/tracker/?group_id=29449
PURCHASE STYLUS STUDIO ONLINE TODAY!
Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced!
Download The World's Best XML IDE!
Accelerate XML development with our award-winning XML IDE - Download a free trial today!
Subscribe in XML format