- From: Eric Prud'hommeaux <eric@w3.org>
- Date: Mon, 20 May 2013 14:47:34 -0400
- To: David Booth <david@dbooth.org>
- Cc: Alex Milowski <alex@milowski.com>, "public-rdf-comments@w3.org" <public-rdf-comments@w3.org>
* David Booth <david@dbooth.org> [2013-05-20 14:27-0400] > On 05/20/2013 01:55 PM, Eric Prud'hommeaux wrote: > >Currently, \u0000 is legal in Turtle (and SPARQL) both in escaped and > >raw form. > > Ugh. Is there really a need to allow the NULL character in a > string? This seems like it is unnecessarily asking for trouble, > given that: (a) Turtle is designed to be semantic-web-friendly, to > be used on the web; and (b) NULL characters in strings can lead to > security vulnerabilities, because of the long history of NULL as a > string terminator. > > I imagine this was discussed already. But were the security > implications adequately considered? I believe so. If we create tests which explicitly include NULL, there's a lot less chance that an extraneous an NULL will provide a buffer overrun. I honestly find the XML constraint about NULLs so 80s. I'd argue that not needing to have a special encoding scheme (or four: hexBinary, url-encoding, base64Binary, uu-encoded) for any datatype that might someday in its future have a NULL in it is a significant advantage of SemWeb over the XML stack. I note that none of the Turtle or SPARQL implementers have reported problems with this. > David -- -ericP
Received on Monday, 20 May 2013 18:48:07 UTC