[ http://nagoya.apache.org/jira/browse/XERCESC-1309?page=comments#action_56737 ] Scott Cantor commented on XERCESC-1309: ---------------------------------------
I have to agree with the previous comment, schemaLocation within a document is a hack, not something that should override other processing layers. XML Schema does not define any mechanism to physically associate a particular schema document with a namespace in a normative way. This is evidenced by the fact that schemaLocation (and the location attribute used in import) are optional hints that can be ignored, not a normative binding of XML bits to the namespace. "Versioning" of schemas is therefore completely out of band and cannot be done by having one XML instance point at one physical file and a second instance point at another. Therefore, I think the schema lookup mechanisms imposed by the parser-invoking application (be they a property or an EntityResolver) should take precedence. It was my impression Xerces-J worked this way, but I haven't checked lately. > schemaLocation declared in instance document overrides validator properties > --------------------------------------------------------------------------- > > Key: XERCESC-1309 > URL: http://nagoya.apache.org/jira/browse/XERCESC-1309 > Project: Xerces-C++ > Type: Bug > Components: Validating Parser (Schema) (Xerces 1.5 or up only) > Versions: 2.5.0, 2.6.0 > Environment: Solaris 2.8, Forte 6.2 patch 5, built from source for both > 2.5.0 and 2.6.0 > Reporter: Jake Pieczonka > Priority: Critical > > I am writing some code to validate documents against a given schema: > parser = new XercesDOMParser; > errorHandler = new ValidatorErrorHandler; > parser->setErrorHandler(errorHandler); > parser->setValidationScheme(XercesDOMParser::Val_Always); > parser->setDoNamespaces(true); > parser->setDoSchema(true); > //parser->setExternalSchemaLocation(schemaLocationWithNS.c_str()); > parser->setExternalNoNamespaceSchemaLocation(schemaLocation.c_str()); > parser->cacheGrammarFromParse(true); > The code should override any schema declarations in the instance document. > It works as expected when no schema declarations are present, and also > correctly overrides any noNameSpaceSchemaLocation declared in the document. > However, if the document contains a schemaLocation declaration, then the code > above fails to override it and the schema is loaded from the location > contained in the document. > Here is a sample declaration: > <rootElement xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > xsi:schemaLocation="http://exploit.com/schema > http://www.exploit.com/schemas/exploitSchema.xsd"/> > I am flagging this as cricital because of the possible security > considerations. Instance documents should not be able to override the schema > location declared by the program, since it then becomes a trivial matter to > pass untrusted data to a program which is expecting validated input. > Note that using the commented-out line above to set the schema location in > the program also fails to override the document setting. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://nagoya.apache.org/jira/secure/Administrators.jspa - If you want more information on JIRA, or have a bug to report see: http://www.atlassian.com/software/jira --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
