On Thu, 21 Feb 2013 11:35:23 +1300, Greg Ewing <greg.ewing at canterbury.ac.nz> wrote: > Carl Meyer wrote: > > An XML parser that follows the XML standard is never safe to expose to > > untrusted input. > > Does the XML standard really mandate that a conforming parser > must blindly download any DTD URL given to it from the real > live internet? Somehow I doubt that. I don't believe it does. The DTD URL is, if I remember correctly, specified as an identifier. The fact that you can often also download the DTD from the location specified by the identifier is a secondary effect. But, it's been a *long* time since I looked at XML :) (Wikipedia says: "Programs for reading documents may not be required to read the external subset.", which would seem to confirm that.) --David
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4