XML Editor - Download a Free Trial >
See What's New >
Buy Now >

[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message]

RE: Interesting mailing list & a rare broadside

nonamespaceschemalocation msxml
Play the video

>> Now suppose I change example.xml to:
>>
>> <bar xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>    xsi:noNamespaceSchemaLocation="bar.xsd"/>
>>
>> where bar.xsd is:
>>
>> <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema">
>>
>> <xs:element name="bar">
>>   <xs:complexType/>
>> </xs:element>
>>
>> </xs:schema>
>>
>> Is there also some way to tell MSXML not to allow the
>> instance to provide additional schemas so that this would be
>> detected as invalid as well?
>>
>
> Oops, forgot to answer this.
>
> Since xsi:noNamespaceSchemaLocation is a hint, it can be ignored at the
> discretion of the implementation. MSXML ignores the namespace location
> in the instance document if
>
> A.) No validation is requested by the user either via setting
> validateOnParse property or invoking the validate() method.
>
> OR
>
> B.) A schema is provided by the user via an XML Schema Cache for
> validating the document.

So, are you saying that the answer to my question is basically "no", since 
there is always the possibility that the root element of the instance will 
use a namespace not in the schema cache?

If that's so, although it's perfectly conformant, it seems like a fairly 
major potential security/robustness hole.  Suppose an application is trying 
to use validation to protect itself from bad input. It carefully loads the 
schema cache with the namespaces it knows about, and calls validate().  Now 
the bad guy comes along and uses a root element from some other namespace 
and uses xsi:schemaLocation to point to his own schema that that has a 
declaration for that element and uses <xs:any namespace="##any" 
processContents="skip"/>.  Won't they just have almost completely 
undermined any protection that was supposed to come from validation?

James

PURCHASE STYLUS STUDIO ONLINE TODAY!

Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced!

Buy Stylus Studio Now

Download The World's Best XML IDE!

Accelerate XML development with our award-winning XML IDE - Download a free trial today!

Don't miss another message! Subscribe to this list today.
Email
First Name
Last Name
Company
Subscribe in XML format
RSS 2.0
Atom 0.3
 

Stylus Studio has published XML-DEV in RSS and ATOM formats, enabling users to easily subcribe to the list from their preferred news reader application.


Stylus Studio Sponsored Links are added links designed to provide related and additional information to the visitors of this website. they were not included by the author in the initial post. To view the content without the Sponsor Links please click here.

XML Editor - Download a 15 Day Free Trial Now >
See What's New in Stylus Studio >
Buy Stylus Studio - XML Editor - Now >
Site Map | Privacy Policy | Terms of Use | Trademarks
Free Stylus Studio XML Training:
W3C Member
Stylus Studio® and DataDirect XQuery ™are products from DataDirect Technologies, is a registered trademark of Progress Software Corporation, in the U.S. and other countries. © 2004-2013 All Rights Reserved.