WebDAV XML handling vs. external entities

Hi,

there was recently an xml-dev thread about security problems allowing
arbitrary XML in protocols (see for instance [1]).

As WebDAV doesn't need resolution of external entities / DTD validation, I'd
suggest to specfiy that servers and clients MUST NOT resolve external
entities, that is, MUST reject any WebDAV protocol message that contains
external entities.

Feedback appreciated.



[1] <http://lists.xml.org/archives/xml-dev/200206/msg00247.html>

Received on Wednesday, 19 June 2002 03:31:55 UTC