W3C home > Mailing lists > Public > www-tag@w3.org > December 2002

Re: XML-* [was: ... XML subsetting...]

From: Tim Bray <tbray@textuality.com>
Date: Fri, 06 Dec 2002 07:04:10 -0800
Message-ID: <3DF0BC6A.5000905@textuality.com>
To: Elliotte Rusty Harold <elharo@metalab.unc.edu>
Cc: www-tag@w3.org

Elliotte Rusty Harold wrote:

>> You're not correct.  The billion laughs works just fine with only an 
>> internal subset.
> 
> I'm curious. Why is this called the "billion laughs" attack? The billion 
> I get. I don't see the laughs though, but maybe I lack a sufficiently 
> advanced sense of humor. :-)

Type "billion laughs" into Google.  The original example used entities 
of the form <!DEFINE e1 "ha ha ha ha ha"> and then exponentially 
exploded them.

>> Your notion about retaining entities but controlling their recursive 
>> expansion is plausible and has come up a couple of times now.
> 
> I can't say I like this. I don't approve of arbitrary limits to document 
> size or depth of recursion. I can easily imagine some machine generated 
> XML that needs to recurse deeply enough to enable the billion laughs 
> attack without necessarily triggering it.

I can't.  Example? -Tim
Received on Friday, 6 December 2002 10:04:12 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:47:14 GMT