Cart
[Home] [By Thread] [By Date] [Recent Entries]
On Mon, Aug 24, 2009 at 11:09:37AM -0400, Amelia A Lewis wrote: > On Mon, 24 Aug 2009 11:07:34 +0200, Michael Ludwig wrote: > > Precisely why the internal DTD subset should be such a problem, > > I don't understand. [...] > > Google "billion laughs". Google "poorly-trained programmers who write bad code" :) JavaScript has as many vulnerabilities as XML in this regard (and watch for all those books and articles saying you load JSON in a browser using "eval") There _is_ an issue with an external DTD subset that I think is a real one, although perhaps not as major as some say - browser writers want to avoid having to download a file that can change the structure of the document, as then either the browser must wait before rendering anything, or the document may need to be rendered again from scratch. E.g. a dtd that puts the root element in a different namespace using a fixed attribute. Liam -- Liam Quin, W3C XML Activity Lead, http://www.w3.org/People/Quin/ http://www.holoweb.net/~liam/ * http://www.fromoldbooks.org/
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] |
