- From: Liam R E Quin <liam@w3.org>
- Date: Tue, 21 Feb 2012 20:20:23 -0500
- To: Norman Walsh <ndw@nwalsh.com>
- Cc: W3C XML-ER Community Group <public-xml-er@w3.org>
On Tue, 2012-02-21 at 17:07 -0500, Norman Walsh wrote: > I'm in favor of predefining all the html5/mathml entities. Makes sense, Witin 2 years every RSS reader on the planet will need to be updated, though. > And > presented with "&flubber;", where no definition of the flubber entity > is known (for whatever reason, TBD), I think "&flubber;" is about > the best recovery we could hope for. Going and fetching the definition of &flubber; from the DTD does not seem unreasonable. Browsers stopped fetching DTDs and processing entity definitions after the stupid "billion laughs" fud (it was a real attack, but exactly the same attack obviously works for javascript too, with exactly the same one-line fix, and people didn't stop using javascript). There's content out there that assumes entity definitions work. So one possible strategy might be to fetch a DTD only at the point where the parser sees an undeclared entity. This wouldn't help people who do <!ENTITY egrave SYSTEM "egrave.xml"> and expect è to include a file, since è won't trigger fetching the DTD. Liam -- Liam Quin - XML Activity Lead, W3C, http://www.w3.org/People/Quin/ Pictures from old books: http://fromoldbooks.org/
Received on Wednesday, 22 February 2012 01:22:22 UTC