Re: Malicious documents? (WAS: Interesting mailing list & a r
Miles Sabin wrote > > > > Hi Ron, prepare to be pleasantly surprised. There is a standard > > feature in SAX called > > "http://xml.org/sax/features/external-parameter-entities", which > > prevents the parser from reading any external entities - including > > the external DTD subset. > > And the default is? According to the SAX specification  the default is unspecified. But if validation is enabled, then is must be set to "true". > > > Not all SAX parsers support this feature, but many do (ours included). > > Which means that even if developers are aware that they ought to disable > external entity retrieval, and are aware of how to do it, they have no > guarantee that it'll actually happen. Sure they do. If the SAX parser they are using doesn't support the feature, then they'll get an UnsupportedFeatureException when they try to set it. Regards ~Rob  http://www.saxproject.org/apidoc/org/xml/sax/package-summary.html#package_de scription
PURCHASE STYLUS STUDIO ONLINE TODAY!
Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced!
Download The World's Best XML IDE!
Accelerate XML development with our award-winning XML IDE - Download a free trial today!
Subscribe in XML format