[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] re: SAX characters event and external entities
At 7:36 PM -0500 3/4/03, David Megginson wrote: >K. Ari Krupnikov writes: > > > How much of a "violation" would it be to have a caching XMLFilter that > > would report all contiguous character data in a single event, > > including across entity boundaries? > >If you did this, though, I'd suggest still putting in a hard-coded >limit. In fact, as XML gets used in more security-sensitive >environments, we may need to consider putting (very high) limits on >everything to avoid various attacks. The theoretical maximum size of a Java array is 2.1 billion items (2^31 to be precise). Thus even with oodles of memory it's not always possible to stuff everything into a single call, especially if you think there might be things like Base-64 encoded movies hiding in the XML document somewhere. -- +-----------------------+------------------------+-------------------+ | Elliotte Rusty Harold | elharo@m... | Writer/Programmer | +-----------------------+------------------------+-------------------+ | Processing XML with Java (Addison-Wesley, 2002) | | http://www.cafeconleche.org/books/xmljava | | http://www.amazon.com/exec/obidos/ISBN%3D0201771861/cafeaulaitA | +----------------------------------+---------------------------------+ | Read Cafe au Lait for Java News: http://www.cafeaulait.org/ | | Read Cafe con Leche for XML News: http://www.cafeconleche.org/ | +----------------------------------+---------------------------------+
|
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|