> > I see three plausible hardening levels worth supporting: > > 1. No DOCTYPE allowed. Eliminates the entire class of DTD-based > attacks. This is what the draft implements. > > 2. DOCTYPE allowed, no external resources loaded. Internal entities > work (for users who need HTML-style named entities, for example), > entity expansion limits are enforced, but nothing is fetched from > outside the document. > > 3. DOCTYPE allowed, user-supplied resolver. The caller provides an > EntityResolver; we wrap it so that if the resolver returns null for > an unknown reference, we throw rather than falling through to the > parser's default URL-fetching behavior. This closes SAX's most > common footgun while letting integrators implement classpath-scoped > loading, XML catalogs, and similar. >
#2 is really as hard as anything needs to be. #1 doesn't add anything. #3 is interesting. I can see this being useful. -- Elliotte Rusty Harold [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
