xml:base bug in exclusive canonicalization

Elliotte Harold Thu, 03 Feb 2005 02:28:53 -0800

This probably isn't a bug in XML-Security. However I suspect it's a problem with more recent versions of Xalan or Xerces or some such that affects XML-security. The same program that I wrote about in my earlier message generates output like the following when it's pulling in elements from external entities:

<doc>Data <e xml:base="file:/Users/elharo/Projects/XOM/data/canonical/xmlconf/xmltest/valid/ext-sa/006.ent"></e> More data <e xml:base="file:/Users/elharo/Projects/XOM/data/canonical/xmlconf/xmltest/valid/ext-sa/006.ent"></e> </doc>

The problem, obviously, are the extra xml:base attributes. The original document looked like this:

<doc>Data <e xml:base="file:/Users/elharo/Projects/XOM/data/canonical/xmlconf/xmltest/valid/ext-sa/006.ent"></e> More data <e xml:base="file:/Users/elharo/Projects/XOM/data/canonical/xmlconf/xmltest/valid/ext-sa/006.ent"></e> </doc>


006.ent was

Data
<e/>
More data
<e/>

I'm not sure what part of the tool chain is taking it upon itself to add the xml:base attributes. Probably Xerces.

I'd guess this is an issue with a specific version of Xerces. I ran this on Mac OS X with 1.4.2 using the Xerces Jar that's bundled with XML-Security 1.2. It's possible I'm not actually using that and instead picking up an earlier version bundled with the JDK, but I don't think so. However, if you can't reproduce this holler and I'll look more closely.


--
Elliotte Rusty Harold  [EMAIL PROTECTED]
XML in a Nutshell 3rd Edition Just Published!
http://www.cafeconleche.org/books/xian3/
http://www.amazon.com/exec/obidos/ISBN=0596007647/cafeaulaitA/ref=nosim

xml:base bug in exclusive canonicalization

Reply via email to