Okay, so what you've just said is that you can use schema validation and xmlsec together. Is that really what is intended?
On Tue, Dec 20, 2011 at 11:12, Sean Mullan <[email protected]> wrote: > The code does still call DOM Document.getElementById, but how does that make > it possible to do an attack? The trusted validation code should be creating > the Document and registering the IDs. If you are letting untrusted code > create the Document for you and register arbitrary IDs, then that is a bug. -- Chad La Joie www.itumi.biz trusted identities, delivered
