Re: [dev] XML vs HTML (was: Article about suckless on root.cz)

From: FRIGN <dev_AT_frign.de>
Date: Fri, 21 Feb 2014 14:39:39 +0100

On Fri, 21 Feb 2014 16:18:33 +0100
Szabolcs Nagy <nsz_AT_port70.net> wrote:

> xml is not just markup but
>
> http://www.w3.org/TR/REC-xml/#charencoding
> (mandatory utf-8 and utf-16 support with bom)

What's wrong with UTF-8?

> https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
> (xml injection, unauthorized document access)

Fortunately, browsers don't allow this.

> https://en.wikipedia.org/wiki/Billion_laughs
> (DoS: exp or quadratic blowup of entities)

Also, easily avoidable.

> it's much better to use a restricted specific language
> with simple well defined semantics than generic things
> like sgml and xml (with arbitrary long tag and attribute
> names), once you do this the origin (sgml, xml,..) does
> not matter

At the cost modularity. Still, I'd welcome a solution like this!

-- 
FRIGN <dev_AT_frign.de>
Received on Fri Feb 21 2014 - 14:39:39 CET

This archive was generated by hypermail 2.3.0 : Fri Feb 21 2014 - 16:48:03 CET