Cart
|
[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] Re: The <any/> element: bane of security or savior of versioni
 Hi Roger, I would suggest at the way we handled extensibility in UBL as straddling the line between security of data and extensibility of markup. I would say however that it only provided a starting point for how extensibility should really be provided in critical data formats (I'm gonna go out on a limb here and say that people feel more comfortable allowing any usage in something like RSS than they do in something like an XML marked up Invoice. ) Cheers, Bryan Rasmussen On 10/19/07, Costello, Roger L. <costello@m...> wrote: > Hi Folks, > > In the repertoire of XML Schemas is the <any/> element. The <any/> > element is used in an XML Schema to instruct an XML instance document > author: "At this point in your document you can have any element or any > string you desire." > > From a security perspective the <any/> element represents a high risk > and should be avoided if possible. In environments where schema > validation is used in a guarding capacity, a schema that uses the > <any/> element is likely to be marked as high risk or even forbidden > from use. > > The solution seems clear: don't use the <any/> element. > > But the situation isn't so simple.... > > Versioning XML Schemas is important. As requirements change the schema > must change, and you would like for the schema versions to be backward > and forward compatible. That is, you would like for an application > written to an old version of the schema to be able to process XML > instance documents written to a new version of the schema and vice > versa. > > As we discussed on this list a couple months ago, the only way you can > achieve backward and forward compatibility in XML Schemas is through > the use of the <any/> element [1]. > > Thus you are left with two choices: > > 1. Be secure and don't use the <any/> element. Forego backward and > forward compatibility. > > 2. Use the <any/> element to achieve backward and forward > compatibility. Forego security. > > This is a serious problem for my clients. > > There must be alternatives. > > Any suggestions? > > /Roger > > [1] http://www.xfront.com/backward-forward-compatibility/ > > _______________________________________________________________________ > > XML-DEV is a publicly archived, unmoderated list hosted by OASIS > to support XML implementation and development. To minimize > spam in the archives, you must subscribe before posting. > > [Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/ > Or unsubscribe: xml-dev-unsubscribe@l... > subscribe: xml-dev-subscribe@l... > List archive: http://lists.xml.org/archives/xml-dev/ > List Guidelines: http://www.oasis-open.org/maillists/guidelines.php > > 
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] |
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! 
Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|
|||||||||
