- From: Daniel Veillard <daniel@veillard.com>
- Date: Mon, 6 Mar 2006 17:46:19 +0100
- To: John Boyer <boyerj@ca.ibm.com>
- Cc: daniel@veillard.com, "Henry S. Thompson" <ht@inf.ed.ac.uk>, public-xml-core-wg@w3.org, public-xml-core-wg-request@w3.org
On Mon, Mar 06, 2006 at 07:58:18AM -0800, John Boyer wrote: > But again, it's not a security problem that arises *because* of the > inheritance rule. > It is an orthogonal security problem, and an extreme edge case, that > authors could > experience if they *express* an xml:base (non-inherited) on a node > *and* it is orphaned by a filter *and* the xml:base contains a relative > URI. > > While the inheritance rule has nothing to do with addressing this problem > (whether it should > be addressed notwithstanding), the inheritance rule does remove a certain > number of other > security issues, so there is certainly no harm in retaining it. Copying the xml:base when we know it's likely to break should then not be done, I think it's better to let the user fully handle the case than handle it half way leading to deceiving expectations. I really don't think xml:base should be copied by default processing of c14n if we don't do it in a sematically correct way. Daniel -- Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ daniel@veillard.com | Rpmfind RPM search engine http://rpmfind.net/ http://veillard.com/ |
Received on Monday, 6 March 2006 16:48:51 UTC