You are viewing a plain text version of this content. The canonical link for it is here.

Posted to j-users@xerces.apache.org by ne...@ca.ibm.com on 2003/01/28 00:42:55 UTC

[ANNOUNCEMENT]: Xerces-J 2.3.0 now available

Hi all,

The Xerces-J team is very happy to announce that version 2.3.0 of Xerces-J
is now available.  With this release, the Xerces-J developers are declaring
the Xerces Native Interface (XNI) core and parsers packages to be gold.
This release also brings Xerces-J into compliance with the most recent work
of the W3C DOM working group on DOM level 3 Core and Load/Save, and
introduces many fixes to bring Xerces-J's behaviour into line with XML
Schema errata. Support for the parsing of documents written according to
the XML 1.1 candidate recommendation has also been completed, except that
no option for verifying that documents are normalized has yet been
implemented. Finally, Xerces-J now provides means by which applications can
force the parser to reject certain kinds of documents whose processing
could result in a denial-of-service attack.

Specifically, the significant changes introduced in this release are:

- Modified XMLLocator interface to remove setter methods for move towards
finalizing XNI; this change also implied removing XMLLocator's dependence
upon XMLResourceIdentifier. [Andy Clark]
- Implemented several DOM Level 3 features, including DOMConfiguration,
exposing type information via DOM, and allowing to set an ID attribute in
the DOM. [Elena Litani]
- Modified support for DOM L3 compareDocumentPosition (formerly
compareTreePosition). [Lisa Martin]
- Modified several XNI interfaces, i.e. NamespaceContext,
XMLResourceIdentifier, Augmentation, XMLAttributes, and updated
implementation accordingly.
[Elena Litani, Sandy Gao]
- Modified PSVI interfaces (org.apache.xerces.impl.xs.psvi) and updated
implementation accordingly. [Elena Litani]
- Modified XMLDTDHandler, XMLDTDSource, XMLDTDContentModelHandler and
XMLDTDContentModelSource to make these pipelines doubly-linked, as was done
in the last release for the main document pipeline. [Neil Graham]
- Completed experimental support for XML 1.1 and XML Namespaces 1.1 CR's,
except for XML 1.1 section 2.13. [Neil Graham]
- Provided a mechanism by which applications can instruct the parser to
abort the parsing of documents containing constructs that could swamp
system resources. [Neil Graham, Neeraj Bajaj]
- Added a feature "disallow-doctype-decl" so that a fatal error is reported
if this feature is on and the incoming document has a DOCTYPE. [Sandy Gao]
- Added a feature "standard-uri-conformant" so that the parser enforces the
URI rules when this feature is on. [Sandy Gao]
- Performance update: ported the partial DTM implementation of DOM and use
it for parsing Schema documents. [Sandy Gao]
- Provided full support for canonical representation of XML Schema
datatypes. [Sandy Gao]
- Implemented XML Schema errata as they were published. [Sandy Gao]
- Fix comment parsing bug that prevented Tomcat 4.1.12 from making use of
Xerces versions later than 2.1.0. [Tim Bruce, Neil Graham]

The release can be downloaded from
http://xml.apache.org/dist/xerces-j/

Enjoy!
Neil
Neil Graham
XML Parser Development
IBM Toronto Lab
Phone:  905-413-3519, T/L 969-3519
E-mail:  neilg@ca.ibm.com



---------------------------------------------------------------------
To unsubscribe, e-mail: xerces-j-user-unsubscribe@xml.apache.org
For additional commands, e-mail: xerces-j-user-help@xml.apache.org

Rejecting the billion laughs attack

Posted by Elliotte Rusty Harold <el...@metalab.unc.edu>.

At 6:42 PM -0500 1/27/03, neilg@ca.ibm.com wrote:

>Finally, Xerces-J now provides means by which applications can
>force the parser to reject certain kinds of documents whose processing
>could result in a denial-of-service attack.


How is this accomplished? Simply by rejecting documents that contain 
a document type declaration? That seems unnecessarily harsh to me? Is 
there any more fine-grained control over this?
-- 

+-----------------------+------------------------+-------------------+
| Elliotte Rusty Harold | elharo@metalab.unc.edu | Writer/Programmer |
+-----------------------+------------------------+-------------------+
|           Processing XML with Java (Addison-Wesley, 2002)          |
|              http://www.cafeconleche.org/books/xmljava             |
| http://www.amazon.com/exec/obidos/ISBN%3D0201771861/cafeaulaitA  |
+----------------------------------+---------------------------------+
|  Read Cafe au Lait for Java News:  http://www.cafeaulait.org/      |
|  Read Cafe con Leche for XML News: http://www.cafeconleche.org/    |
+----------------------------------+---------------------------------+

---------------------------------------------------------------------
To unsubscribe, e-mail: xerces-j-dev-unsubscribe@xml.apache.org
For additional commands, e-mail: xerces-j-dev-help@xml.apache.org