- From: Elliotte Rusty Harold <elharo@metalab.unc.edu>
- Date: Thu, 26 Feb 2004 16:16:31 -0500
- To: <www-xml-xinclude-comments@w3.org>
What should a processor do if the accept attributes contain values that are illegal ion an HTTP header? I'm not an exxpert on HTTP 1.1, so I'm not sure what can or cannot appear there (Are non-ASCII characters allowed?) but what about something like this: <xi:include href="something.xml" accept="text/xml Another-Header: another value"/> I'm sure the there are other ways to break the HTTP header or insert data that wasn't expected to be inserted. There may be security holes here. A lot may depend on the underlying API used to communicate with the HTTP server. Some libraries may perform sufficient sanity checking themselves that this is not a problem. However, others may not. Should the XInclude specification put more restraints on what is allowed in these attributes? Or at the very least note the issue in specs as something implementers should be careful to think about? -- Elliotte Rusty Harold elharo@metalab.unc.edu Effective XML (Addison-Wesley, 2003) http://www.cafeconleche.org/books/effectivexml http://www.amazon.com/exec/obidos/ISBN%3D0321150406/ref%3Dnosim/cafeaulaitA
Received on Thursday, 26 February 2004 16:26:48 UTC