There's also a Xerces-specific feature (http://apache.org/xml/features/disallow-doctype-decl) [1] which will cause the parser to report a fatal error if an instance document contains a DOCTYPE declaration.
[1] http://xml.apache.org/xerces2-j/features.html#disallow-doctype-decl
Neil Delima/Toronto/[EMAIL PROTECTED] wrote on 05/03/2004 02:04:08 PM:
>
> "Benjamin Kolin" <[EMAIL PROTECTED]> wrote on 05/03/2004 01:50:35 PM:
>
> > Followup question - what is considered the best method to defend against
> > extity expansion DOS attacks? Specifically I am concerned about the
> > internal DTD because the features you mentioned already give me control
> > over the external DTD. It would be acceptable to me to ignore the
> > internal DTD altogether. Thanks.
>
> See the property: http://apache.org/xml/properties/security-manager [1]
>
> [1] http://xml.apache.org/xerces2-j/properties.html
> [2]
> http://xml.apache.org/xerces2-
> j/javadocs/xerces2/org/apache/xerces/util/SecurityManager.html
> [3] http://xml.apache.org/xerces2-j/faq-write.html#faq-2
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
Michael Glavassevich
XML Parser Development
IBM Toronto Lab
E-mail: [EMAIL PROTECTED]
E-mail: [EMAIL PROTECTED]
- DTD being resolved using non-validating parser? Greg Hess
- Re: DTD being resolved using non-validating pars... Andy Clark
- Re: DTD being resolved using non-validating ... Joseph Kesselman
- Re: DTD being resolved using non-validat... Michael Glavassevich
- RE: DTD being resolved using non-validating pars... Benjamin Kolin
- RE: DTD being resolved using non-validating ... Neil Delima
- RE: DTD being resolved using non-validat... Michael Glavassevich
- RE: DTD being resolved using non-validating pars... Benjamin Kolin
- RE: DTD being resolved using non-validating ... Michael Glavassevich
