Elena, Thanks to the reference for [1] -- I haven't gotten up to date on the 1.2 stuff yet. I guess I didn't understand the rationale for the feature. But now I do, and I agree that this is the best way to solve the problem.
Ted ----- Original Message ----- From: "Elena Litani" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, November 28, 2002 5:47 AM Subject: Re: Fw: Security Alert - Xerces] > Hi Ted, > > Ted Leung wrote: > > How about just a feature to turn entity expansion off? > > Neil's proposal is in line with the SOAP spec [1] which prohibits > DOCTYPE and I am not sure why you consider this feature an overkill..? > If we only introduce the feature you are proposing, Xerces will still > process an internal subset, which is forbidden by the SOAP spec and will > have performance implications (even if no entity expansion occur). > Moreover, if the default configuration is chosen, and document includes > a DOCTYPE, Xerces will include the DTD validator which again will slow > up processing and on top of it, the validator will attempt to normalize > attribute values (as defined in the XML 1.0 spec) -- and this means that > Xerces parsing of SOAP messages is not interoperable with any other > implementations. > > So I don't any reason why we should not introduce the feature proposed > by Neil... > > > [1] http://www.w3.org/TR/soap12-part1/#soapenv > > Thank you, > -- > Elena Litani / IBM Toronto > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
