John, thank you for your past&present work on the SXML stuff. Two comments:

enforcing the “file://“ prefix.

Sounds like the following doesn't matter in this case, but another way to support both a given URL or given filename is to resolve the given value as a possibly relative URL, against a base URL that's a "file:" scheme URL for the current working directory.

I’ve made a change that appears to allow the use of “file://“ URIs with 

As soon as tools get into accessing resources via URLs from the XML (which I don't think is what you're doing, but it might be the next step for someone), it should be documented that there's a need for access control.

For example, imagine an application in which user-supplied XML specifies a (purported) schema with a "file:" or "http:" URL to some resource to which user doesn't have access, but the XML processor does.  If the application (or XML library it uses) attempts to access that URL too trustingly, then the user maybe be able to cause some privileged side-effect (e.g., manipulate a database, or control an IoT device), or learn some or all of the content at a URL (via, e.g., a too-detailed error message), or learn something about the system (e.g., something more about its location/operator/implementation, if it makes an outgoing request to a server user can monitor).

You received this message because you are subscribed to the Google Groups "Racket 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
For more options, visit

Reply via email to