Gabriel Sechan wrote:
As a fun exercise, inject a NUL character into *anything* going into
C. Oops. Security hole.
Not at all. C code can handle NULLs just fine. However, if it expects
text data it may truncate your string to the first NULL. But there is
no security hole here. And again, nothing to do with XML.
Or, better yet, the number of programs that still have hard-coded
string and buffer lengths. Oops. Stack smash.
Bigger problem. But still nothing to do with XML.
Indirectly, it does. Since XML uses the Unicode string of your
programming language, you normally wind up using strings that don't
suffer from the previous problems.
And there's damn good reasons for those binary formats- speed of
parsing, storage space, etc.
Rarely.
A "custom format" is almost *always* worse than one of the standards.
XML for text or mixed, ASN.1 for on the wire, and one of the government
standards for *BIG* amounts of mathematical data.
Not being human readable is frequently a
bonus too- for every coder who goes in and hacks something cool of a
human readable file, 20 morons corrupt the file.
We have a saying in VLSI: "The only reliable CAD tool is your text
editor". The number of times a vendor tries to prevent us from getting
data far exceed the number of times someone screws up the file.
Especially with version control systems.
Instead of having to waste time reverse engineering the format, XML
puts the format directly in front of the humans. Yes, normally you
use the machine; however, when you *need* to look at it by eye, you
*can*.
I can read binary or non-XML text quite well. Just give me the format.
Uh-uh-uh. The vendor won't give you the format. Think Microsoft and
Word. It's not the XML portions of the Microsoft's new format that
everybody is trying to get at.
Suddenly, XML and binary aren't so equivalent.
The fact that you recommend lex and yacc sums up the problem quite
nicely. There are many superior tools for parsing and lexing, and yet
nobody ever uses them.
Do you prefer flexx and Bison? Same thing, new model.
Yeah, that's a step up, but I was thinking more along the lines of ANTLR
and its ilk. (look for the references to other programs on this page).
http://www.bearcave.com/software/antlr/antlr_expr.html
-a
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-lpsg
