[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] re-reading the "least power" finding .... was RE: 2007 Predict
> -----Original Message----- > From: Michael Champion [mailto:mc@x...] > Sent: Saturday, January 20, 2007 7:18 AM > To: 'noah_mendelsohn@u...' > Cc: 'XML Developers List' > Subject: RE: 2007 Predictions > > This finding reminds me of the emperor in "Amadeus" telling Mozart that he > used too many notes. If the Web really did follow the W3C's lead, the current > state-of-the-art web applications would never have been invented. These tend > to download semi-opaque blobs of Javascript ... After re-reading the final, edited-by-Noah version of the Rule of Least Power, I don't have quite as negative a reaction as I did to my memory of TimBL's "axioms" and the TAG list discussion a year ago. If this is mainly a warning that putting executable code on the Web is dangerous, it's hard to disagree, but of course there are benefits that outweigh the potential dangers for most people. After all, we all risk horrible death in automobiles every day because their power and convenience outweighs their dangers. Also, it's clear from a re-reading that they're talking about languages used to publish information, not the complexity of a service implementation behind the Web. BUT it seems worth noting that first-generation XML standards widely deployed have similar problems. Maybe I would have had a less negative reaction to the finding had these problems been called out along with those of AJAX. First, XML is in some sense "too powerful" even though it is not Turing complete. The recursive entity definition mechanism allows documents to be created that require an exponential time order of magnitude to parse (the "billion laughs" attack). Also, XSLT *is* Turing complete, as the finding notes. In principle an XML parser or XSLT engine could do the analysis that the finding suggests, but AFAIK actual implementations today just run the program and see what happens, just as with Javascript. My very limited discussions with smarter people than I am about adding logic to an XML parser that would detect DoS attacks while maintaining full conformance with the spec indicate that this would make it unacceptably slow. The practical advice is not "use the language with the least power", since sufficient power to anything interesting on today's Web is sufficient power to do evil. Hmm, I could go on but Len just said it so much better than I possibly could :-)
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] |
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|