- From: David Booth <david@dbooth.org>
- Date: Mon, 20 May 2013 14:47:29 -0400
- To: Eric Prud'hommeaux <eric@w3.org>
- CC: Alex Milowski <alex@milowski.com>, "public-rdf-comments@w3.org" <public-rdf-comments@w3.org>
Forgot to include a reference . . . On 05/20/2013 02:27 PM, David Booth wrote: > On 05/20/2013 01:55 PM, Eric Prud'hommeaux wrote: >> Currently, \u0000 is legal in Turtle (and SPARQL) both in escaped and >> raw form. > > Ugh. Is there really a need to allow the NULL character in a string? > This seems like it is unnecessarily asking for trouble, given that: (a) > Turtle is designed to be semantic-web-friendly, to be used on the web; > and (b) NULL characters in strings can lead to security vulnerabilities, > because of the long history of NULL as a string terminator. > > I imagine this was discussed already. But were the security > implications adequately considered? http://hakipedia.com/index.php/Poison_Null_Byte David
Received on Monday, 20 May 2013 18:47:57 UTC