Re: Internal entities removed from XML?
On Thu, 19 Dec 2002 17:56:00 +0000, Bill de hÓra <bill.dehora@p...> wrote: > > > I'm not asking for the feature to be removed, just make the default > setting compliant with XML. If you don't want entities expanded, turn > them off. Having to turn them on frankly breaks with the spirit of > things. > Upon reflection, I guess I am very ambivalent, but tending toward being convinced by the arguments here. The only compelling reasons for defaulting to "no entities" that I can think of are a) the statistical likelihood that external entities will cause problems; and b) the billion laughs DOS attack. I have no idea if the latter was part of MS's design decision, but http://online.securityfocus.com/archive/1/303509/2002-12-13/2002-12- 19/0 does suggest "If possible, disable DTD in the XML parser. This requires raw access to the XML parser API, which is usually impossible for Web Services applications." (Of course, a SOAP message shouldn't have a DTD in the first place, but, ahem, "be liberal in what you consume" ...). Still, on balance, the argument that "System.XML should play by the XML rules rather than the SOAP rules, define a System.SOAP if you want to expose the SOAP rules" is pretty persuasive. But I guess I don't think of this as a black/white compliant/non-compliant issue, but just another one of the shades-of-grey things we have to deal with. I'm frankly glad I don't have to make the decision! Damned if you appear to be non- compliant, double-damned if your customers get hit with some (accidental or deliberate) performance hit from a recursive entity expansion scenario.
PURCHASE STYLUS STUDIO ONLINE TODAY!
Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced!
Download The World's Best XML IDE!
Accelerate XML development with our award-winning XML IDE - Download a free trial today!
Subscribe in XML format