Hi, Florian Lohoff wrote: > Its not that the xml is broken afterwards but people could start putting > bad things into the database by closing a tag and reopening a new one.
Excuse me? How do you think that could happen? The backslash has no special meaning in XML, it is just a character like any other. It does not require escaping. There is no XML injection attack possible here because any XML you try to inject would either have to be quoted properly, in which case it will just sit there as plain strings, or if it isn't quoted then it will not be inserted verbatim. (It will either fail to parse, or if it is structured in a way that it the XML is valid and contains superfluous tags, these will probably be dropped silently as we don't validate to a schema or DTD.) If you belive there is a way to put "bad things" into the database, try it out and show us results. Bye Frederik _______________________________________________ dev mailing list [email protected] http://lists.openstreetmap.org/listinfo/dev
