- From: Pratik Datta <pratik.datta@oracle.com>
- Date: Thu, 28 Oct 2010 11:57:15 -0700 (PDT)
- To: Scott Cantor <cantor.2@osu.edu>, public-xmlsec@w3.org
I don't want to add another parameter to C14N just for this. We are already in mode of trying to reduce parameters, so I wanted to reuse the QNameAware parameter, besides this is also a QNames in content issue, which is main purpose of QNameAware. We don't have a use case of XPaths in attributes, only in elements. Pratik -----Original Message----- From: Scott Cantor [mailto:cantor.2@osu.edu] Sent: Thursday, October 28, 2010 11:10 AM To: Pratik Datta; public-xmlsec@w3.org Subject: RE: Xpath wrapping attack > Currently we have a mechanism for defining text nodes that may contain > qname, using the <c14n2:QNameAware> element, but this only for text nodes > whose entire content is a QName, it does not do any scanning. So I propose > that we add a new sub element to QNameAware and call it > "<c14n2:XPathElement>. This would be used to identify elements that contain > XPaths I don't think that shouldn't be part of QNameAware. It sounds like you want a new option, XPathAware, which probably derives from a common base type. For example, you suggest allowing for element content, but what about attributes? I think it's better to keep them distinct options, and just share a content model. -- Scott
Received on Thursday, 28 October 2010 18:59:29 UTC