Followup question - what is considered the best method to defend against extity expansion DOS attacks? Specifically I am concerned about the internal DTD because the features you mentioned already give me control over the external DTD. It would be acceptable to me to ignore the internal DTD altogether. Thanks.
-Ben -----Original Message----- From: Andy Clark [mailto:[EMAIL PROTECTED] Sent: Monday, May 03, 2004 10:33 AM To: [EMAIL PROTECTED] Subject: Re: DTD being resolved using non-validating parser? Greg Hess wrote: > I had always thought that by simply using a non-validating parser I > could avoid the overhead of fetching the remote dtd and such. But it Nope. Even if a parser is non-validating, it must do things like normalize attribute values according to their type. It can't do this without reading the DTD declarations. However, there are Xerces-specific features that you can set that will prevent the external DTD from being fetched and processed. Specifically, you want the feature: http://apache.org/xml/features/nonvalidating/load-external-dtd Please refer to the Features page in the documentation for information. -- Andy Clark * [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
