Re: Malicious documents? (WAS: Interesting mailing list & a r
Rob Lugt wrote, > Ronald Bourret wrote > > Worse yet, this isn't limited to validation. A parser is free to > > read an external DTD (to get attribute defaults and entity values) > > even when it isn't validating. I haven't looked at any of the > > parsers I've used closely enough, but it would surprise me if any > > had a way to turn this completely off. > > Hi Ron, prepare to be pleasantly surprised. There is a standard > feature in SAX called > "http://xml.org/sax/features/external-parameter-entities", which > prevents the parser from reading any external entities - including > the external DTD subset. And the default is? > Not all SAX parsers support this feature, but many do (ours included). Which means that even if developers are aware that they ought to disable external entity retrieval, and are aware of how to do it, they have no guarantee that it'll actually happen. Cheers, Miles
PURCHASE STYLUS STUDIO ONLINE TODAY!
Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced!
Download The World's Best XML IDE!
Accelerate XML development with our award-winning XML IDE - Download a free trial today!
Subscribe in XML format