On 23-Oct-08, at 5:40 PM, David Waite wrote:
And what for?
So that you use XML correctly, and can do productive things rather
than dealing with DoS vectors.
What about the opposite DoS vector, send a server valid, well formed
XML, well formed XMLNS, but with 10000s of xmlns prefixes, prefix
everything, change the prefixes for every element, etc. I'm not too
sure if that is all legal but it wouldn't matter the server would have
to spend a large amount time before it could reject it and close the
session.
Look, it really sucks sometimes that a XMPP connection is an XML
document.
I disagree that a XMPP connection is an XML document. It isn't. It's a
protocol which uses XML to frame and encode it's payloads. So, maybe
it's misguided to think XML tools written for processing XML documents
would work as a lexer and parser for a XML protocol?
There are hacks to make this more efficient, and there are
hacks to do XMPP with off-the-shelf XML tools. Deciding to ignore that
it is XML altogether and just counting angle brackets is not a fix,
I don't believe anyone ever said or implied this.
and is just not going to play well if you are dealing with anything
other than sanitized input.
You can put most off-the-shelf tools in an XML namespace ignorant
mode, but it still comes to a decision - does XMPP use attributes with
funny names that start with 'xmlns:' and happens to conflict with XML
names, or is it meant to be XML names compliant with some bad legacy
software out there that server authors might want to cope with. The
middle ground is a world of pain.
I always vote for the funny names...
ck
