Parsing everything (was Re: [standards-jig] JNG Ramblings.)

Iain Shigeoka iain.shigeoka at
Fri Aug 16 15:56:51 UTC 2002

True.  I guess well-formedness checks could be a server side service.  I'm
not sure how useful it would be against malicious attacks but it would
probably help with unintentional errors.


On 8/16/02 3:19 AM, "Mike Lin" <mikelin at MIT.EDU> wrote:

> a server well-formedness check probably remains advisable for XML
> payloads. however, given a separate envelope format, a well-formedness
> check can be done at considerably less expense than loading into a DOM,
> which is what has to be done now.
> clients should nevertheless be prepared to recover from XML parse
> errors. with a framing protocol and document-per-packet this is not so
> hard.
> -- mike --
> On Fri, 2002-08-16 at 04:46, Matthias Wimmer wrote:
>> Hi Iain!
>> You may have noticed that I stopped writing comments to this thread ...
>>  but this one I have to reply :)
>> Iain Shigeoka wrote:
>>> XML is still passed.  But XML doesn't necessarily need to be parsed.  For
>>> example, if you know it is a message, it has a TTL of X, and a destination
>>> of Y, you can deliver it without parsing the XML.  In fact, you don't really
>>> care if it is XML which opens the possibility of pretty much sending
>>> anything in a message, (the <message> xml being the default... But binary or
>>> what have you is fair game).
>> I think the server should always parse the XML it routes. This makes it
>> harder for an attacker to send malicious data to a client.

More information about the Standards mailing list