RE: Action-539: review C14N2.0

> Section 6: Qnames in content. Searching all text nodes for potential use
> of prefixes is a horribly bad idea. Besides the performance overhead
> you'll get weird matches, resulting in different namespace declarations
> being covered within structurally identical XML documents. Major source
> of confusion and unexplainable signature invalidations.

I don't propose searching all text nodes, but I do believe enumerating the
qualified names of nodes that are QName-valued to be useful and frankly
necessary.

On a separate but similar topic, I also think in the absence of schema-aware
c14n that we have an obligation to allow the specification of ID-valued
attributes to ensure better and safer interop of ID-based references. It
doesn't by itself address wrapping attacks but it's an improvement on
guessing ID-ness.

(To anticipate a response, yes, in an ideal world we'd just use schemas and
both issues would be addressed. But in this world, people often don't use
them at runtime, nor do they use DTDs.)

-- Scott

Received on Monday, 19 April 2010 17:03:25 UTC