You are viewing a plain text version of this content. The canonical link for it is here.
Posted to j-dev@xerces.apache.org by Ted Leung <tw...@sauria.com> on 2002/12/02 20:02:00 UTC
Re: Fw: Security Alert - Xerces]
How long will it take to do what Neil proposes? Since this involves a
security alert, I'd like
to be able to send a note to security@ telling them what the status and
proposed resolution is.
Ted
----- Original Message -----
From: "Ted Leung" <tw...@sauria.com>
To: <xe...@xml.apache.org>
Sent: Friday, November 29, 2002 11:24 AM
Subject: Re: Fw: Security Alert - Xerces]
> Elena,
>
> Thanks to the reference for [1] -- I haven't gotten up to date on the 1.2
> stuff yet. I guess I didn't understand the rationale for the feature.
But
> now I do, and I agree that this is the best way to solve the problem.
>
> Ted
> ----- Original Message -----
> From: "Elena Litani" <el...@ca.ibm.com>
> To: <xe...@xml.apache.org>
> Sent: Thursday, November 28, 2002 5:47 AM
> Subject: Re: Fw: Security Alert - Xerces]
>
>
> > Hi Ted,
> >
> > Ted Leung wrote:
> > > How about just a feature to turn entity expansion off?
> >
> > Neil's proposal is in line with the SOAP spec [1] which prohibits
> > DOCTYPE and I am not sure why you consider this feature an overkill..?
> > If we only introduce the feature you are proposing, Xerces will still
> > process an internal subset, which is forbidden by the SOAP spec and will
> > have performance implications (even if no entity expansion occur).
> > Moreover, if the default configuration is chosen, and document includes
> > a DOCTYPE, Xerces will include the DTD validator which again will slow
> > up processing and on top of it, the validator will attempt to normalize
> > attribute values (as defined in the XML 1.0 spec) -- and this means that
> > Xerces parsing of SOAP messages is not interoperable with any other
> > implementations.
> >
> > So I don't any reason why we should not introduce the feature proposed
> > by Neil...
> >
> >
> > [1] http://www.w3.org/TR/soap12-part1/#soapenv
> >
> > Thank you,
> > --
> > Elena Litani / IBM Toronto
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: xerces-j-dev-unsubscribe@xml.apache.org
> > For additional commands, e-mail: xerces-j-dev-help@xml.apache.org
> >
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: xerces-j-dev-unsubscribe@xml.apache.org
> For additional commands, e-mail: xerces-j-dev-help@xml.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: xerces-j-dev-unsubscribe@xml.apache.org
For additional commands, e-mail: xerces-j-dev-help@xml.apache.org