On Fri, 21 Feb 2014 16:18:33 +0100
Szabolcs Nagy <nsz_AT_port70.net> wrote:
> xml is not just markup but
>
> http://www.w3.org/TR/REC-xml/#charencoding
> (mandatory utf-8 and utf-16 support with bom)
What's wrong with UTF-8?
> https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
> (xml injection, unauthorized document access)
Fortunately, browsers don't allow this.
> https://en.wikipedia.org/wiki/Billion_laughs
> (DoS: exp or quadratic blowup of entities)
Also, easily avoidable.
> it's much better to use a restricted specific language
> with simple well defined semantics than generic things
> like sgml and xml (with arbitrary long tag and attribute
> names), once you do this the origin (sgml, xml,..) does
> not matter
At the cost modularity. Still, I'd welcome a solution like this!
--
FRIGN <dev_AT_frign.de>
Received on Fri Feb 21 2014 - 14:39:39 CET