Done. My last 3 commits introduced a new feature
"http://apache.org/xml/features/disallow-doctype-decl";. When it's turned
on, a fatal error is thrown if the incoming document contains a DOCTYPE
declaration.
Cheers,
Sandy Gao
Software Developer, IBM Canada
(1-905) 413-3255
[EMAIL PROTECTED]
"Ted Leung"
<[EMAIL PROTECTED] To: <[EMAIL PROTECTED]>
om> cc:
Subject: Re: Fw: Security Alert -
Xerces]
12/02/2002 02:02
PM
Please respond to
xerces-j-dev
How long will it take to do what Neil proposes? Since this involves a
security alert, I'd like
to be able to send a note to security@ telling them what the status and
proposed resolution is.
Ted
----- Original Message -----
From: "Ted Leung" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, November 29, 2002 11:24 AM
Subject: Re: Fw: Security Alert - Xerces]
> Elena,
>
> Thanks to the reference for [1] -- I haven't gotten up to date on the 1.2
> stuff yet. I guess I didn't understand the rationale for the feature.
But
> now I do, and I agree that this is the best way to solve the problem.
>
> Ted
> ----- Original Message -----
> From: "Elena Litani" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Thursday, November 28, 2002 5:47 AM
> Subject: Re: Fw: Security Alert - Xerces]
>
>
> > Hi Ted,
> >
> > Ted Leung wrote:
> > > How about just a feature to turn entity expansion off?
> >
> > Neil's proposal is in line with the SOAP spec [1] which prohibits
> > DOCTYPE and I am not sure why you consider this feature an overkill..?
> > If we only introduce the feature you are proposing, Xerces will still
> > process an internal subset, which is forbidden by the SOAP spec and
will
> > have performance implications (even if no entity expansion occur).
> > Moreover, if the default configuration is chosen, and document includes
> > a DOCTYPE, Xerces will include the DTD validator which again will slow
> > up processing and on top of it, the validator will attempt to normalize
> > attribute values (as defined in the XML 1.0 spec) -- and this means
that
> > Xerces parsing of SOAP messages is not interoperable with any other
> > implementations.
> >
> > So I don't any reason why we should not introduce the feature proposed
> > by Neil...
> >
> >
> > [1] http://www.w3.org/TR/soap12-part1/#soapenv
> >
> > Thank you,
> > --
> > Elena Litani / IBM Toronto
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
