W3C home > Mailing lists > Public > public-xmlsec@w3.org > October 2010

RE: Xpath wrapping attack

From: Scott Cantor <cantor.2@osu.edu>
Date: Thu, 28 Oct 2010 14:09:39 -0400
To: "'Pratik Datta'" <pratik.datta@oracle.com>, <public-xmlsec@w3.org>
Message-ID: <00b701cb76cb$49ab68c0$dd023a40$@osu.edu>
> Currently we have a mechanism for defining text nodes that may contain
> qname, using the <c14n2:QNameAware> element, but this only for text nodes
> whose entire content is a QName, it does not do any scanning.  So I
propose
> that we add a new sub element to QNameAware and call it
> "<c14n2:XPathElement>. This would be used to identify elements that
contain
> XPaths

I don't think that shouldn't be part of QNameAware. It sounds like you want
a new option, XPathAware, which probably derives from a common base type.

For example, you suggest allowing for element content, but what about
attributes?

I think it's better to keep them distinct options, and just share a content
model.

-- Scott
Received on Thursday, 28 October 2010 18:10:39 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 28 October 2010 18:10:40 GMT