[prev in list] [next in list] [prev in thread] [next in thread]
List: xalan-c-users
Subject: Re: rejecting a uri using EntityResolver
From: David Bertoni <dbertoni () apache ! org>
Date: 2008-03-06 17:32:33
Message-ID: 47D02AB1.5090806 () apache ! org
[Download RAW message or body]
David Hubbard wrote:
> Hi all,
>
>
>
> For security reasons I am trying to use resolveEntity to reject any uri
> that is not in an approved list of sources. I have the code running and
>
> if the uri is not in my list I return null. However, the behavior of
> xalanc is different than I anticipated. If null is returned as the input
> source
You need to read the specification for EntityResolver to understand how
things work. Returning a NULL pointer simply tells the SAX parser to
process the system ID as it normally would. The header file for
EntityResolver provides some clues, but the full description is here:
http://www.saxproject.org/apidoc/org/xml/sax/EntityResolver.html
>
> then the following happens after resolveEntity is called ( this is in
> xalanc\XSLT\XSLTProcessorEnvSupportDefault.cpp ):
...
>
> If null is returned by resolveEntity then the else branch is taken and
> the url is used anyway. Am I trying to use the EntityResolver interface
> for something it is not intended for.
The canonical way to handle this is to return an InputSource that provides
an empty entity. You could use a MemBufInputSource, or a
LocalFileInputSource with the name of a known, empty file.
The only caveat is that substituting an empty entity for the proper one can
lead to subtle differences in behavior or to errors. For example, a DTD
that contains default attributes will provided a different information set
than a substitute empty DTD.
Dave
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic