- From: Jim Whitehead <ejw@cse.ucsc.edu>
- Date: Wed, 19 Jun 2002 14:30:13 -0700
- To: "Julian Reschke" <julian.reschke@gmx.de>, <w3c-dist-auth@w3c.org>
> there was recently an xml-dev thread about security problems allowing > arbitrary XML in protocols (see for instance [1]). This topic is also discussed in RFC 2518, in Section 17.7 (Implications of XML External Entities). > As WebDAV doesn't need resolution of external entities / DTD > validation, I'd suggest to specfiy that servers and clients MUST NOT > resolve external entities, that is, MUST reject any WebDAV protocol > message that contains external entities. In RFC 2518, we didn't go so far as to outlaw external entities, since (a) it didn't seem that likely they would ever get shipped across the wire, and (b) they might be useful for extensibility. But, after several years of implementation, I don't know of any uses of XML external entities, so I'd be fine with prohibiting them. - Jim
Received on Wednesday, 19 June 2002 17:31:39 UTC