> there was recently an xml-dev thread about security problems allowing > arbitrary XML in protocols (see for instance [1]). This topic is also discussed in RFC 2518, in Section 17.7 (Implications of XML External Entities). > As WebDAV doesn't need resolution of external entities / DTD > validation, I'd suggest to specfiy that servers and clients MUST NOT > resolve external entities, that is, MUST reject any WebDAV protocol > message that contains external entities. In RFC 2518, we didn't go so far as to outlaw external entities, since (a) it didn't seem that likely they would ever get shipped across the wire, and (b) they might be useful for extensibility. But, after several years of implementation, I don't know of any uses of XML external entities, so I'd be fine with prohibiting them. - JimReceived on Wednesday, 19 June 2002 17:31:39 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:44:00 GMT