Cart
[Home] [By Thread] [By Date] [Recent Entries]
David Megginson had a nice piece to this effect a few years ago: http://www.megginson.com/ugly/index.html "When XML Turns Ugly" This was pre-schema, and still largely client-oriented, but has a lot of interesting pieces on the dangers of XML processing. At 11:24 AM 6/8/2002 +0100, Miles Sabin wrote: >Yes it is, but it's now pretty widely understood that HTML (with or >without embedded scripts or objects) can be dangerous on the client. > >I don't think there's the same understanding of vulnerabilities on the >server side: if you POST and HTML document to a server you wouldn't >normally expect it to attempt to retrieve images or execute embedded >scripts or objects. OTOH, with an XML POST to a validating XML >processor, retrieval of referenced external enities is precisely what's >going to happen in many cases. Simon St.Laurent "Every day in every way I'm getting better and better." - Emile Coue
|
