- From: Miles Sabin <miles@milessabin.com>
- Date: Wed, 30 Oct 2002 20:51:57 +0000
- To: www-tag@w3.org
Chris Lilley wrote, > How is that different from html pages that link to external images > that the browser may be 'coerced' to open? It's the same problem, but in a different context. That on it's own is enough to cause problems. The awkward thing is that the mantra "always validate inputs from untrusted sources" actually hurts here because someone might naively assume that this means that untrusted XML inputs should be validated in the sense of the XML REC ... but in at least some cases the very act of attempting validation will trigger the dangerous behaviour, eg. retrieving an uncached DTD external subset. So it's not a new problem, and the solutions are obvious to anyone who understands it. But for all that I'm sure people will make mistakes and they'll be exploited. I think it would be a good idea that if the Architectural Principles doc is going to highlight a principle that states, Representation retrieval is safe: Agents do not incur obligations by retrieving a representation. it should qualify that by pointing out that "safe" is being used here in the sense of RFC 2616 rather than in any more general sense, and that even if agent don't incur any obligations they might still get burnt. Cheers, Miles
Received on Wednesday, 30 October 2002 15:52:29 UTC