I have just checked an update into CVS for the C++ library around the handling of Id attributes, implementing the following.
1. A method on DSIGSignature allowing the caller to control whether the library will search for Ids based on names if a call to getElementById fails. *NOTE* - By default this is enabled, to provide backwards compatibility. However this is marked with a warning that it may (and will) change in a future version of the library.
2. Allowable names for Id attributes are now stored in a list. This list can be added to by the calling program using new methods on DSIGSignature.
3. The list contains "Id" and "id" by default, to emulate the behaviour of the Java library. However these can be deleted and replaced using methods added to DSIGSignature.
As an aside, the DSIGSignature class is getting rather ugly, with calls all over the place to enable and disable functionality. I am thinking of introducing a set of methods in 1.2 that will provide a consistant, single interface for all configuration on DSIGSignature, as this will provide better portability. I'll also add the interface to XSECProvider to allow for "global" configurations. Half the work was done for 1.1 in that there is now an "environment" object that holds all this information and gets passed around the various signature objects.
Interested in thoughts on the last part.
Cheers,
BerinBerin Lautenbach wrote:
Scott/Sean/Milan,
What I'm going to do in the C++ library is put in a call that allows you to disable the search for non registered Ids. That allows for backwards compatibility, but ensures that the settings can be more secure.
I might also mark it in the docs with a warning that at version 2, this will become the default.
Cheers, Berin
Scott Cantor wrote:
My advice would be to remove the code that searches for attributes named id, or Id and force the application to manually register those ids.
+1.
But I'd add that Sun's inclusion of an XML parser in the JRE really
complicates this because it forces us to endorse a parser that does support
the DOM3 calls needed to manually register IDs. I'm not aware of any
non-DOM3 method in, say, Xerces, that even supports registration of IDs,
whether standard or otherwise. Happy to learn of one, though.
-- Scott
