Re: Hello and XXE

Wed, 04 Mar 2015 15:32:29 -0800 

That's true Scott. Xerces is a big player in the XML parsing world. I'm just a 
security activist trying to encourage important libraries like Xerces to use 
safe defaults when they can. And for XXE, for sure, there is precedent to turn 
it off by default since it's so dangerous.

--
Jim Manico
@Manicode
(808) 652-3805

> On Mar 4, 2015, at 8:40 AM, Cantor, Scott <canto...@osu.edu> wrote:
> 
> On 3/4/15, 6:34 PM, "Michael Glavassevich" <mrgla...@ca.ibm.com> wrote:
> 
> 
>> 
>> And I was pointing out that it's irrelevant to Jim's concern.
> 
> I'm betting Jim's concern is with the parser being secure, period, not 
> just in one specific way, but he can speak for himself.
> 
>> If you're interested in seeing a release which rolls up this and other 
>> fixes from the trunk, that's another discussion. The long period of time 
>> between Xerces releases boils down to a lack of time from developers and 
>> low interest from the community to motivate a new release.
> 
> I think the situation is clear to anybody reading this thread now that 
> isn't hiding their heads in the sand, which was my only intention.
> 
> -- Scott
> 
> B‹KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB•È[œÝXœØÜšX™KK[XZ[ˆ‹]\Ù\œË][œÝXœØÜšX™P\˜Ù\˘\XÚK›Ü™ÃB‘›ÜˆY][Û˜[ÛÛ[X[™ËK[XZ[ˆ‹]\Ù\œËZ[\˜Ù\˘\XÚK›Ü™ÃB

---------------------------------------------------------------------
To unsubscribe, e-mail: j-users-unsubscr...@xerces.apache.org
For additional commands, e-mail: j-users-h...@xerces.apache.org

Reply via email to