[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message]

Re: Hostility to "binary XML" (was Re: XML 2004 webl

Re:  Hostility to "binary XML" (was Re:  XML 2004 webl
On Mon, Nov 22, 2004 at 11:52:09PM +0200, Oleg Tkachenko wrote:
> Liam Quin wrote:
> >One can do validation in the writer and then plausibly skip the sort of
> >checks you mention in a reader, and still be talking about XML, even
> >with today's textual interchange formats.
> I believe that would be a disaster from security's "all input is evil" 
> point of view.

I didn't say to skip _all_ checks!!!  Nor in fact do I think it's a
good thing.  A better way is to design a format in which such checks
are not needed because the format can't represent the error conditions
which Derek mentioned.  Doing that generally requires a schema-aware
connection (or at least DTD-aware).

In practice I doubt that checking for duplicated attribute values is
often a significant CPU expense but I haven't ever measured.

The trick here would be to design the next layer up (the application) to
be robust in the face of such errors, and to design the unbinarification
layer to deliver the input robustly.  This is an issue for all
processing, whether of data generated internally within a program or
externally and read as input.  Part of the trick to getting it right lies
in identifying the boundaries correctly, but there's no single right
answer to writing secure and/or robust systems, and relaxing constraints
on the input data shouldn't be the deciding factor.


Liam Quin, W3C XML Activity Lead, http://www.w3.org/People/Quin/


Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced!

Buy Stylus Studio Now

Download The World's Best XML IDE!

Accelerate XML development with our award-winning XML IDE - Download a free trial today!

Don't miss another message! Subscribe to this list today.
First Name
Last Name
Subscribe in XML format
RSS 2.0
Atom 0.3

Stylus Studio has published XML-DEV in RSS and ATOM formats, enabling users to easily subcribe to the list from their preferred news reader application.

Stylus Studio Sponsored Links are added links designed to provide related and additional information to the visitors of this website. they were not included by the author in the initial post. To view the content without the Sponsor Links please click here.

Site Map | Privacy Policy | Terms of Use | Trademarks
Free Stylus Studio XML Training:
W3C Member
Stylus Studio® and DataDirect XQuery ™are products from DataDirect Technologies, is a registered trademark of Progress Software Corporation, in the U.S. and other countries. © 2004-2013 All Rights Reserved.