ppkarwasz commented on PR #23: URL: https://github.com/apache/commons-xml/pull/23#issuecomment-4938583006
Agreed, and the same logic applies to our threat model. We should add a disclaimer under "Assumptions about the environment" making clear that our guarantees depend on the JAXP implementation honoring its documented contract, for example that an `EntityResolver` is invoked for every external fetch a DOM or SAX parser performs. We validate this against a known set of implementations (Xerces, the JDK fork, Android, Oracle XDK), but if a given implementation doesn't call the resolver as documented, that's a bug in that implementation, not something our library can compensate for. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
