[ http://nagoya.apache.org/jira/browse/XERCESC-1309?page=comments#action_56735 ] Jake Pieczonka commented on XERCESC-1309: -----------------------------------------
I re-ran my test case, and here are my results. In the case of the instance document referring to a schema using the noNamespaceSchemaLocation, the programatic override set using setExternalNoNamespaceSchemaLocation() takes precedence, and the schema referenced by the document is not used. I am not sure if the schema referenced by the instance document is parsed and then discarded, or never parsed at all. In the case of the instance document referring to a schema using the schemaLocation, no programmatic override can take place. This case is consistent with the expected behaviour you described. In both cases, I am pre-parsing the schema I want to use programatically. I propose the correct behaviour is the first case. The developer should be able to override schemas referenced in the instance document, rather than just augment them. > schemaLocation declared in instance document overrides validator properties > --------------------------------------------------------------------------- > > Key: XERCESC-1309 > URL: http://nagoya.apache.org/jira/browse/XERCESC-1309 > Project: Xerces-C++ > Type: Bug > Components: Validating Parser (Schema) (Xerces 1.5 or up only) > Versions: 2.5.0, 2.6.0 > Environment: Solaris 2.8, Forte 6.2 patch 5, built from source for both > 2.5.0 and 2.6.0 > Reporter: Jake Pieczonka > Priority: Critical > > I am writing some code to validate documents against a given schema: > parser = new XercesDOMParser; > errorHandler = new ValidatorErrorHandler; > parser->setErrorHandler(errorHandler); > parser->setValidationScheme(XercesDOMParser::Val_Always); > parser->setDoNamespaces(true); > parser->setDoSchema(true); > //parser->setExternalSchemaLocation(schemaLocationWithNS.c_str()); > parser->setExternalNoNamespaceSchemaLocation(schemaLocation.c_str()); > parser->cacheGrammarFromParse(true); > The code should override any schema declarations in the instance document. > It works as expected when no schema declarations are present, and also > correctly overrides any noNameSpaceSchemaLocation declared in the document. > However, if the document contains a schemaLocation declaration, then the code > above fails to override it and the schema is loaded from the location > contained in the document. > Here is a sample declaration: > <rootElement xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > xsi:schemaLocation="http://exploit.com/schema > http://www.exploit.com/schemas/exploitSchema.xsd"/> > I am flagging this as cricital because of the possible security > considerations. Instance documents should not be able to override the schema > location declared by the program, since it then becomes a trivial matter to > pass untrusted data to a program which is expecting validated input. > Note that using the commented-out line above to set the schema location in > the program also fails to override the document setting. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://nagoya.apache.org/jira/secure/Administrators.jspa - If you want more information on JIRA, or have a bug to report see: http://www.atlassian.com/software/jira --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
