On 11/16/11 1:51 PM, "Yang Yu" <[email protected]> wrote: >It's great to know the search will be off by default in the future >release. Nasty security problem could happen because of it. Do you know >which future release will include this feature?
No, I have nothing to do with the Java development. For the record, turning it off isn't at all sufficient to prevent those security problems. I think they're pretty well intractable in general absent very specific scenarios. If you can't sign the whole document, I'd be very wary and I certainly wouldn't trust that any code I didn't write was correct. Nothing the library can do about it, it's up to the other layers. -- Scott
