- From: Tim Bray <tbray@textuality.com>
- Date: Fri, 06 Dec 2002 07:04:10 -0800
- To: Elliotte Rusty Harold <elharo@metalab.unc.edu>
- Cc: www-tag@w3.org
Elliotte Rusty Harold wrote: >> You're not correct. The billion laughs works just fine with only an >> internal subset. > > I'm curious. Why is this called the "billion laughs" attack? The billion > I get. I don't see the laughs though, but maybe I lack a sufficiently > advanced sense of humor. :-) Type "billion laughs" into Google. The original example used entities of the form <!DEFINE e1 "ha ha ha ha ha"> and then exponentially exploded them. >> Your notion about retaining entities but controlling their recursive >> expansion is plausible and has come up a couple of times now. > > I can't say I like this. I don't approve of arbitrary limits to document > size or depth of recursion. I can easily imagine some machine generated > XML that needs to recurse deeply enough to enable the billion laughs > attack without necessarily triggering it. I can't. Example? -Tim
Received on Friday, 6 December 2002 10:04:12 UTC