W3C home > Mailing lists > Public > public-rdf-comments@w3.org > May 2013

Re: \u0000 in literals?

From: David Booth <david@dbooth.org>
Date: Mon, 20 May 2013 14:47:29 -0400
Message-ID: <519A6FC1.4060102@dbooth.org>
To: Eric Prud'hommeaux <eric@w3.org>
CC: Alex Milowski <alex@milowski.com>, "public-rdf-comments@w3.org" <public-rdf-comments@w3.org>
Forgot to include a reference . . .

On 05/20/2013 02:27 PM, David Booth wrote:
> On 05/20/2013 01:55 PM, Eric Prud'hommeaux wrote:
>> Currently, \u0000 is legal in Turtle (and SPARQL) both in escaped and
>> raw form.
>
> Ugh.  Is there really a need to allow the NULL character in a string?
> This seems like it is unnecessarily asking for trouble, given that: (a)
> Turtle is designed to be semantic-web-friendly, to be used on the web;
> and (b) NULL characters in strings can lead to security vulnerabilities,
> because of the long history of NULL as a string terminator.
>
> I imagine this was discussed already.  But were the security
> implications adequately considered?

http://hakipedia.com/index.php/Poison_Null_Byte

David
Received on Monday, 20 May 2013 18:47:57 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:29:56 UTC