- From: Rich Salz <rsalz@zolera.com>
- Date: Tue, 02 Oct 2001 21:50:33 -0400
- To: Bob Hutchison <hutch@xampl.com>
- CC: xml dist <xml-dist-app@w3.org>
> So we are talking about accommodating very simple XML processor here. One > that cannot recognise a DTD or a PI, yet that is smart enough to know how to > skip over them. Does such a parser exist? It can certainly be smart enough to see a <!DOCTYPE marker and barf. Seeing DOCTYPE is a lot different from addingentity support, as in <foo xmlns:ds="&dsig;">, particularly if they're external entities. I also have security concerns about DTD's. Without any kind of security framework in place, a tricky client could send a server a SOAOP message with an external entity that the server will blindly access, when the client itself was disallowed. Do you know any XML processors that have access-checking-callbacks on entity resolution? /r$ -- Zolera Systems, Securing web services (XML, SOAP, Signatures, Encryption) http://www.zolera.com
Received on Tuesday, 2 October 2001 21:49:22 UTC