Parsing everything (was Re: [standards-jig] JNG Ramblings.)

Iain Shigeoka iain.shigeoka at messaginglogic.com
Fri Aug 16 15:56:51 UTC 2002


True.  I guess well-formedness checks could be a server side service.  I'm
not sure how useful it would be against malicious attacks but it would
probably help with unintentional errors.

-iain

On 8/16/02 3:19 AM, "Mike Lin" <mikelin at MIT.EDU> wrote:

> a server well-formedness check probably remains advisable for XML
> payloads. however, given a separate envelope format, a well-formedness
> check can be done at considerably less expense than loading into a DOM,
> which is what has to be done now.
> 
> clients should nevertheless be prepared to recover from XML parse
> errors. with a framing protocol and document-per-packet this is not so
> hard.
> 
> -- mike --
> 
> On Fri, 2002-08-16 at 04:46, Matthias Wimmer wrote:
>> Hi Iain!
>> 
>> You may have noticed that I stopped writing comments to this thread ...
>>  but this one I have to reply :)
>> 
>> Iain Shigeoka wrote:
>> 
>>> XML is still passed.  But XML doesn't necessarily need to be parsed.  For
>>> example, if you know it is a message, it has a TTL of X, and a destination
>>> of Y, you can deliver it without parsing the XML.  In fact, you don't really
>>> care if it is XML which opens the possibility of pretty much sending
>>> anything in a message, (the <message> xml being the default... But binary or
>>> what have you is fair game).
>>>  
>>> 
>> I think the server should always parse the XML it routes. This makes it
>> harder for an attacker to send malicious data to a client.




More information about the Standards mailing list