> This attack does not appear to apply to the Java DOM implementation, as the > entire node value is parsed - and not just the bit up to the comment.
That's not universally true, it's a function of the parser settings used. Java parsing can be vulnerable or not, it's outside the scope of Santuario unless Santuario explicitly configures a parser. I didn't think it did, but I didn't look. -- Scott
