W3C home > Mailing lists > Public > public-rdf-comments@w3.org > May 2013

Re: \u0000 in literals?

From: Eric Prud'hommeaux <eric@w3.org>
Date: Mon, 20 May 2013 14:47:34 -0400
To: David Booth <david@dbooth.org>
Cc: Alex Milowski <alex@milowski.com>, "public-rdf-comments@w3.org" <public-rdf-comments@w3.org>
Message-ID: <20130520184733.GD9505@w3.org>
* David Booth <david@dbooth.org> [2013-05-20 14:27-0400]
> On 05/20/2013 01:55 PM, Eric Prud'hommeaux wrote:
> >Currently, \u0000 is legal in Turtle (and SPARQL) both in escaped and
> >raw form.
> 
> Ugh.  Is there really a need to allow the NULL character in a
> string? This seems like it is unnecessarily asking for trouble,
> given that: (a) Turtle is designed to be semantic-web-friendly, to
> be used on the web; and (b) NULL characters in strings can lead to
> security vulnerabilities, because of the long history of NULL as a
> string terminator.
> 
> I imagine this was discussed already.  But were the security
> implications adequately considered?

I believe so. If we create tests which explicitly include NULL,
there's a lot less chance that an extraneous an NULL will provide
a buffer overrun.

I honestly find the XML constraint about NULLs so 80s. I'd argue that
not needing to have a special encoding scheme (or four: hexBinary,
url-encoding, base64Binary, uu-encoded) for any datatype that might
someday in its future have a NULL in it is a significant advantage of
SemWeb over the XML stack. I note that none of the Turtle or SPARQL
implementers have reported problems with this.


> David

-- 
-ericP
Received on Monday, 20 May 2013 18:48:07 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:29:56 UTC