Re: http references in an OT font's SVG docs (xmlns, dtd) from Leonard Rosenthol on 2016-01-22 (public-svgopentype@w3.org from January 2016)

From: Leonard Rosenthol <lrosenth@adobe.com>
Date: Fri, 22 Jan 2016 19:25:02 +0000
To: Sairus Patel <sppatel@adobe.com>, "public-svgopentype@w3.org" <public-svgopentype@w3.org>, Cameron McCormack <cam@mcc.id.au>, Chris Lilley <chris@w3.org>, Vladimir Levantovsky <Vladimir.Levantovsky@monotype.com>
Message-ID: <88B8ABD0-4FBB-4A72-9981-D0D74D37929C@adobe.com>

In other instances of embedded XML content inside of containers – such as XFA forms in a PDF – the standard security best practice is indeed to NOT process any DTD or NS links.

Leonard

From: Sairus Patel <sppatel@adobe.com<mailto:sppatel@adobe.com>>
Date: Friday, January 22, 2016 at 1:03 PM
To: "public-svgopentype@w3.org<mailto:public-svgopentype@w3.org>" <public-svgopentype@w3.org<mailto:public-svgopentype@w3.org>>, Cameron McCormack <cam@mcc.id.au<mailto:cam@mcc.id.au>>, "chris@w3.org<mailto:chris@w3.org>" <chris@w3.org<mailto:chris@w3.org>>, Vladimir Levantovsky <Vladimir.Levantovsky@monotype.com<mailto:Vladimir.Levantovsky@monotype.com>>
Subject: http references in an OT font's SVG docs (xmlns, dtd)
Resent-From: "public-svgopentype@w3.org<mailto:public-svgopentype@w3.org>" <public-svgopentype@w3.org<mailto:public-svgopentype@w3.org>>
Resent-Date: Friday, January 22, 2016 at 1:04 PM

Cam, Chris, Vlad, others:

1.
Does the requirement to ignore external references when processing SVG docs in an SVG-in-OT font include the dtd and xmlns http references in the header? Here's an example glyph from GeckoEmoji.ttf (http://people.mozilla.org/~jkew/opentype-svg/GeckoEmoji.html):

<![CDATA[<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE svg  PUBLIC '-//W3C//DTD SVG 1.1//EN'
'http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd'>   ### <== dtd
<svg ...
xmlns="http://www.w3.org/2000/svg"         ### <=== xmlns
xmlns:xlink="http://www.w3.org/1999/xlink" ### <=== xmlns
> ...

2.
Also, since https://www.microsoft.com/typography/otspec/svg.htm says the required UA stylesheet must have:

   @namespace svg url(http://www.w3.org/2000/svg)

there should be no need for the SVG doc in the font itself to have an xmlns (as in the above example), right (unless, presumably, it’s different from the UA stylesheet namespace)?

3.
Also, is a dtd needed at all in the font's SVG doc? Hin-Tak Leung (who's working on the Microsoft Font Validator's SVG-in-OT support) brought this up a couple of days ago on the OT list. He said, re. the dtd in Gecko Emoji:

<<<
this causes the XML
parser to go online to fetch the dtd from www.w3.org to actually validate
the XML against the dtd. I know this behavior is technically correct,
and XML parsers are supposed to validate whenever possible - and
possibly cache the DTD whenever possible. But mono's XML parser
happens not to do that, and hammering www.w3.org repeatedly for each
glyph (or each run at least, it seems and it chokes on alternative runs
when failing to fetch) seems stupid so I turn the validation feature off
mono's parser manually.
>>>

Thanks,

Sairus

Received on Friday, 22 January 2016 19:25:36 UTC