[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] The <any/> element: bane of security or savior of versioning?
Hi Folks, In the repertoire of XML Schemas is the <any/> element. The <any/> element is used in an XML Schema to instruct an XML instance document author: "At this point in your document you can have any element or any string you desire." From a security perspective the <any/> element represents a high risk and should be avoided if possible. In environments where schema validation is used in a guarding capacity, a schema that uses the <any/> element is likely to be marked as high risk or even forbidden from use. The solution seems clear: don't use the <any/> element. But the situation isn't so simple.... Versioning XML Schemas is important. As requirements change the schema must change, and you would like for the schema versions to be backward and forward compatible. That is, you would like for an application written to an old version of the schema to be able to process XML instance documents written to a new version of the schema and vice versa. As we discussed on this list a couple months ago, the only way you can achieve backward and forward compatibility in XML Schemas is through the use of the <any/> element [1]. Thus you are left with two choices: 1. Be secure and don't use the <any/> element. Forego backward and forward compatibility. 2. Use the <any/> element to achieve backward and forward compatibility. Forego security. This is a serious problem for my clients. There must be alternatives. Any suggestions? /Roger [1] http://www.xfront.com/backward-forward-compatibility/
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] |
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|