I'm not sure if we are talking about the same problem. :) But I think I get the general idea. Thank you very much for your help, Scott.
On Wed, Nov 16, 2011 at 11:00 AM, Cantor, Scott <[email protected]> wrote: > On 11/16/11 1:51 PM, "Yang Yu" <[email protected]> wrote: > > >It's great to know the search will be off by default in the future > >release. Nasty security problem could happen because of it. Do you know > >which future release will include this feature? > > No, I have nothing to do with the Java development. > > For the record, turning it off isn't at all sufficient to prevent those > security problems. I think they're pretty well intractable in general > absent very specific scenarios. If you can't sign the whole document, I'd > be very wary and I certainly wouldn't trust that any code I didn't write > was correct. Nothing the library can do about it, it's up to the other > layers. > > -- Scott > >
