On Feb 10, 2009, at 22:26, Henry S. Thompson wrote: > And there's good reason for that: XML actually _is_ usable by > authors and authoring well-formed XML is _not_ hard. However, writing XML-outputting software whose output is always well- formed even in the case of malicious input is hard. > b) points to a piece of broken _software_; [..] > one article that points to a page in which someone trying to > introduce an _intentional_ markup error made the wrong error. It is a pretty significant problem if an attacker can intentionally introduce a markup error into a system so that the administrator of the system is denied service when trying to use a browser-based UI for managing the system (and all other users are denied service, too). > Hardly a compelling set of evidence that well-formed XML is too hard > for ordinary mortals. So far Philip Taylor (the author of http://lists.w3.org/Archives/Public/www-archive/2009Feb/0058.html ) has found well-formedness holes in every XML-outputting system he has cared to try. He even managed to make Validator.nu produce ill-formed output. The bug was in the Xalan serializer--a widely distributed library written by experts. (Astral characters were serialized as two numeric character references for the corresponding surrogates.) I can brag that Philip hasn't found an ill-formedness-inducing bug in any XML serialization code written entirely by me. However, he has still found *a* bug (not ill-formedness-inducing one) in my XML serializer, too. (I replaced the Xalan serializer with one that I wrote myself.) -- Henri Sivonen hsivonen@iki.fi http://hsivonen.iki.fi/Received on Wednesday, 11 February 2009 09:35:45 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:48:12 GMT