* FRIGN <dev_AT_frign.de> [2014-02-21 12:03:00 +0100]:
> I really don't see your point why exactly XML should be bad for the
> web.
> If you write proper, well-formed markup, nothing really changes for
> you, except that the browser _knows_ it's dealing with proper markup
> and doesn't have to "fire up" it's forgiving but sloppy SGML-parser.
>
> It may not be clear here that switching from SGML to XML parsing only
> incorporates changing the MIME-type from text/html to application/xhtml
> +xml.
xml is not just markup but
http://www.w3.org/TR/REC-xml/#charencoding
(mandatory utf-8 and utf-16 support with bom)
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
(xml injection, unauthorized document access)
https://en.wikipedia.org/wiki/Billion_laughs
(DoS: exp or quadratic blowup of entities)
and various xml validation issues and implementation bugs..
it's much better to use a restricted specific language
with simple well defined semantics than generic things
like sgml and xml (with arbitrary long tag and attribute
names), once you do this the origin (sgml, xml,..) does
not matter
Received on Fri Feb 21 2014 - 16:18:33 CET