Re: [svgwg] Why does xmlns use http not https? (#738)

That exploit is related specifically to the caching of external entities. And possibly DTDs - it's not clear.

DTDs are the `<!DOCTYPE...` part of an XML file. They can contain a URL that points to a schema file that describes the format of the XML file.  Which elements can be children of other elements etc.

Entities are of the form `<!ENTITY...`. They can define snippets of XML or text that can be reused within the XML file. External entities are ones that are stored at external to the XML file and are referenced by a URL.

The value inside an `xmlns` attribute should never be fetched by an XML parser bcause it is not defined to be a URL.  It is just an identifier string that identifies the variant of XML.  Think of it as being equivalent to a MIME type, or the magic strings such as "JFIF" in a JPEG header.


-- 
GitHub Notification of comment by BigBadaboom
Please view or discuss this issue at https://github.com/w3c/svgwg/issues/738#issuecomment-546266794 using your GitHub account

Received on Friday, 25 October 2019 08:55:44 UTC