Hi Neil,
> In the forked copy of Xerces that we maintain (a.k.a. XML4J :) ), we're
> planning to solve this as follows: add a feature called
>
> http://apache.org/xml/features/disallow-doctype-decl
>
> which, when true, will cause the parser to emit a fatalError upon detection
> of a DOCTYPE. Obviously, this is wholly incompatible with XML 1.0, and it
> goes without saying it'll be false by default. But, as SOAP's a pretty
> important spec--and is not the only spec that disallows a DOCTYPE property
> in the infoset of conforming documents (the WSDL 1.2 WD does as well, IIRC)
> --this kind of feature would seem to have at least some general utility,
> aside from providing a workaround for this particular bug.
Yes, this kind of feature does make sense for some kind of applications that are
using Xerces2 like SOAP applications.
Lets take a broader view of the problem. Problem still remains for many
applications that will be using Xerces2. If for a moment we take our eyes off
from SOAP/WSDL scenario (those applications know in advance that messages
containing DOCTYPE declarations should be rejected straightway), any server side
application based on Xerces2 that recieves such XML document will have problem.
There are many such applications which are based on XML 1.0 and happliy
accept XML document having an internal-dtd-subset. Rejecting XML document
containing DOCTYPE declarations is NOT a solution for such applications.
So to me, Joe's suggestion of keeping check on the number of entity
expansions seems useful. I have heard that SGML originally had a wide variety of
processing limits that could be defined in the SGML declaration. Since such
things are not defined in XML1.0, by default their shouldn't be any limit.
But for the applications who do care for such things can set it to their
desired limit. Say an application running on particular server can decide the
limit of the number as per its configuration.
Comments ?
thanks,
Neeraj
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
