When I replaced the URI in the DTD External Entity reference with a legitimate one (pointing to a stub server on my own machine), I did get complaints about HTML protocol not being correct ... so apparently this is at least trying to open the URI.
If it's actually reading the entity, that could be the basis for a DOS attack, if nothing else. We *should* be running with the secure flag set. I can try debuggerizing to confirm. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
