[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message]

Re: SAX characters event and external entities

• To: xml-dev@l...
• Subject: Re: SAX characters event and external entities
• From: Richard Tobin <richard@c...>
• Date: Wed, 5 Mar 2003 23:27:13 GMT
• Cc:
• In-reply-to: <15973.22900.234172.936044@m...>
• Organization: HCRC, University of Edinburgh

>Here's an easy attack -- send you a start tag, then just keep sending
>random alphanumeric characters until your system chokes.  An arbitrary
>limit -- even a very high one, like a few gigabytes -- would be useful.

This seems like the wrong level to deal with it.  If your worry is
memory use, limit memory use, not the length of element names.  Either
use the operating system's facilities for limiting memory, or have a
special purpose allocator.  (Or is that too difficult in languages like
Java?)

I had to address this in my on-line validator, and did it by using
unix's memory and cpu time limits.

-- Richard

• References:
  • Re: SAX characters event and external entities
    • From: David Megginson <david@m...>

• Prev by Date: Re: SAX characters event and external entities
• Next by Date: Re: Life as an SGML Neanderthal (WAS RE: The subsetting has begun)
• Previous by thread: Re: SAX characters event and external entities
• Next by thread: re: SAX characters event and external entities
• Index(es):
  • Date
  • Thread