ppkarwasz commented on PR #23:
URL: https://github.com/apache/commons-xml/pull/23#issuecomment-4938583006

   Agreed, and the same logic applies to our threat model.
   
   We should add a disclaimer under "Assumptions about the environment" making 
clear that our guarantees depend on the JAXP implementation honoring its 
documented contract, for example that an `EntityResolver` is invoked for every 
external fetch a DOM or SAX parser performs.
   
   We validate this against a known set of implementations (Xerces, the JDK 
fork, Android, Oracle XDK), but if a given implementation doesn't call the 
resolver as documented, that's a bug in that implementation, not something our 
library can compensate for.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to