RE: SOAP's prohibiting use of XML internal subset from Julian Reschke on 2002-11-25 (www-tag@w3.org from November 2002)

From: Julian Reschke <julian.reschke@gmx.de>
Date: Mon, 25 Nov 2002 23:24:25 +0100
To: "Mark Nottingham" <mnot@mnot.net>, "Tim Bray" <tbray@textuality.com>, "Paul Grosso" <pgrosso@arbortext.com>
Cc: <www-tag@w3.org>
Message-ID: <JIEGINCHMLABHJBIGKBCOEOLFNAA.julian.reschke@gmx.de>

> From: www-tag-request@w3.org [mailto:www-tag-request@w3.org]On Behalf Of
> Mark Nottingham
> Sent: Monday, November 25, 2002 11:15 PM
> To: Tim Bray; Paul Grosso
> Cc: www-tag@w3.org
> Subject: Re: SOAP's prohibiting use of XML internal subset
>
> ...
>
> Also, at first glance, the logic in that document seems to be faulty; it
> says one shouldn't impose "additional restrictions beyond those imposed by
> the XML recommendation itself" because "an implementer of the protocol may
> not be able to use an otherwise conforming XML processor to parse the
> XML-based protocol elements."
>
> If they are truly restrictions, how could a conformant processor not be
> able to parse the result? I grant that a vanilla conforming generator
> *may* have difficulty, depending on the abstraction that it presents to
> the programmer.

The issue is the other way around. If a spec specifically forbids some XML
feature, you won't be able to use a conforming XML parser (unless it's
configurable to switch off that feature, or it reliably reports that this
feature was used).

At some point of time the spec *required* usage of the XML declaration (that
is, implementations MUST reject XML request bodies without XML declaration).
In practice, as XML processors are not required to report the XML decl to
the application, how are you supposed to come up with a conforming
application?

> ..
>
> > - That granted, forbidding an internal subset seems kind of dumb.
> > Speaking as an XML processor implementor, the extra code required is
> > hardly detectable and the performance gain not significiant.
> > Furthermore, every XML processor in the world just silently does the
> > internal subset and it's going to cost *extra work* for SOAP
> > implementations to check that they haven't.  I.e. you can't use an
> > ordinary off-the-shelf non-validating XML processor.
>
> Perhaps the WG has a good reason for this prohibition; have they been
> asked?

Automatic resolution of external entities clearly is a security risk -- so
there SHOULD be a way for XML based protocols to explicitly forbid this.

Julian

--
<green/>bytes GmbH -- http://www.greenbytes.de -- tel:+492512807760

Received on Monday, 25 November 2002 17:24:59 UTC