Cart
[Home] [By Thread] [By Date] [Recent Entries]
Rob Lugt wrote, > Miles Sabin wrote > > Which means that even if developers are aware that they ought to > > disable external entity retrieval, and are aware of how to do it, > > they have no guarantee that it'll actually happen. > > Sure they do. If the SAX parser they are using doesn't support the > feature, then they'll get an UnsupportedFeatureException when they > try to set it. But then we have a slightly different problem. Developers who try to do the right thing will be hit by interoperability issues. Either that or they have to specify a particular (set of) SAX implementation(s) which somewhat undermines SAX as a common API. On reflection, I think that SAX should be tweaked to at least require support for this feature, and maybe mandate that the default be to not retrieve external entities. Cheers, Miles
|
