* David Booth <david@dbooth.org> [2013-05-20 14:27-0400] > On 05/20/2013 01:55 PM, Eric Prud'hommeaux wrote: > >Currently, \u0000 is legal in Turtle (and SPARQL) both in escaped and > >raw form. > > Ugh. Is there really a need to allow the NULL character in a > string? This seems like it is unnecessarily asking for trouble, > given that: (a) Turtle is designed to be semantic-web-friendly, to > be used on the web; and (b) NULL characters in strings can lead to > security vulnerabilities, because of the long history of NULL as a > string terminator. > > I imagine this was discussed already. But were the security > implications adequately considered? I believe so. If we create tests which explicitly include NULL, there's a lot less chance that an extraneous an NULL will provide a buffer overrun. I honestly find the XML constraint about NULLs so 80s. I'd argue that not needing to have a special encoding scheme (or four: hexBinary, url-encoding, base64Binary, uu-encoded) for any datatype that might someday in its future have a NULL in it is a significant advantage of SemWeb over the XML stack. I note that none of the Turtle or SPARQL implementers have reported problems with this. > David -- -ericPReceived on Monday, 20 May 2013 18:48:07 UTC
This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 16:59:33 UTC