David Hubbard wrote:
Hi all,
For security reasons I am trying to use resolveEntity to reject any uri
that is not in an approved list of sources. I have the code running and
if the uri is not in my list I return null. However, the behavior of
xalanc is different than I anticipated. If null is returned as the input
source
You need to read the specification for EntityResolver to understand how
things work. Returning a NULL pointer simply tells the SAX parser to
process the system ID as it normally would. The header file for
EntityResolver provides some clues, but the full description is here:
http://www.saxproject.org/apidoc/org/xml/sax/EntityResolver.html
then the following happens after resolveEntity is called ( this is in
xalanc\XSLT\XSLTProcessorEnvSupportDefault.cpp ):
...
If null is returned by resolveEntity then the else branch is taken and
the url is used anyway. Am I trying to use the EntityResolver interface
> for something it is not intended for.
The canonical way to handle this is to return an InputSource that provides
an empty entity. You could use a MemBufInputSource, or a
LocalFileInputSource with the name of a known, empty file.
The only caveat is that substituting an empty entity for the proper one can
lead to subtle differences in behavior or to errors. For example, a DTD
that contains default attributes will provided a different information set
than a substitute empty DTD.
Dave
