RE: Xpath wrapping attack

I don't want to add another parameter to C14N just for this. We are already in mode of trying to reduce parameters, so I wanted to reuse the QNameAware parameter, besides this is also a QNames in content issue, which is main purpose of QNameAware.

We don't have a use case of XPaths in attributes, only in elements.

Pratik

-----Original Message-----
From: Scott Cantor [mailto:cantor.2@osu.edu] 
Sent: Thursday, October 28, 2010 11:10 AM
To: Pratik Datta; public-xmlsec@w3.org
Subject: RE: Xpath wrapping attack

> Currently we have a mechanism for defining text nodes that may contain
> qname, using the <c14n2:QNameAware> element, but this only for text nodes
> whose entire content is a QName, it does not do any scanning.  So I
propose
> that we add a new sub element to QNameAware and call it
> "<c14n2:XPathElement>. This would be used to identify elements that
contain
> XPaths

I don't think that shouldn't be part of QNameAware. It sounds like you want
a new option, XPathAware, which probably derives from a common base type.

For example, you suggest allowing for element content, but what about
attributes?

I think it's better to keep them distinct options, and just share a content
model.

-- Scott

Received on Thursday, 28 October 2010 18:59:29 UTC