How long will it take to do what Neil proposes? Since this involves a security alert, I'd like to be able to send a note to security@ telling them what the status and proposed resolution is.
Ted ----- Original Message ----- From: "Ted Leung" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, November 29, 2002 11:24 AM Subject: Re: Fw: Security Alert - Xerces] > Elena, > > Thanks to the reference for [1] -- I haven't gotten up to date on the 1.2 > stuff yet. I guess I didn't understand the rationale for the feature. But > now I do, and I agree that this is the best way to solve the problem. > > Ted > ----- Original Message ----- > From: "Elena Litani" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Thursday, November 28, 2002 5:47 AM > Subject: Re: Fw: Security Alert - Xerces] > > > > Hi Ted, > > > > Ted Leung wrote: > > > How about just a feature to turn entity expansion off? > > > > Neil's proposal is in line with the SOAP spec [1] which prohibits > > DOCTYPE and I am not sure why you consider this feature an overkill..? > > If we only introduce the feature you are proposing, Xerces will still > > process an internal subset, which is forbidden by the SOAP spec and will > > have performance implications (even if no entity expansion occur). > > Moreover, if the default configuration is chosen, and document includes > > a DOCTYPE, Xerces will include the DTD validator which again will slow > > up processing and on top of it, the validator will attempt to normalize > > attribute values (as defined in the XML 1.0 spec) -- and this means that > > Xerces parsing of SOAP messages is not interoperable with any other > > implementations. > > > > So I don't any reason why we should not introduce the feature proposed > > by Neil... > > > > > > [1] http://www.w3.org/TR/soap12-part1/#soapenv > > > > Thank you, > > -- > > Elena Litani / IBM Toronto > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
