[prev in list] [next in list] [prev in thread] [next in thread] 

List:       xalan-c-users
Subject:    Re: rejecting a uri using EntityResolver
From:       David Bertoni <dbertoni () apache ! org>
Date:       2008-03-06 17:32:33
Message-ID: 47D02AB1.5090806 () apache ! org
[Download RAW message or body]

David Hubbard wrote:
> Hi all,
> 
>  
> 
> For security reasons I am trying to use resolveEntity to reject any uri 
> that is not in an approved list of sources. I have the code running and
> 
> if the uri is not in my list I return null. However, the behavior of 
> xalanc is different than I anticipated. If null is returned as the input 
> source
You need to read the specification for EntityResolver to understand how 
things work.  Returning a NULL pointer simply tells the SAX parser to 
process the system ID as it normally would.  The header file for 
EntityResolver provides some clues, but the full description is here:

http://www.saxproject.org/apidoc/org/xml/sax/EntityResolver.html

> 
> then the following happens after resolveEntity is called ( this is in 
>  xalanc\XSLT\XSLTProcessorEnvSupportDefault.cpp ):
...
> 
> If null is returned by resolveEntity then the else branch is taken and 
> the url is used anyway.  Am I trying to use the EntityResolver interface
 > for something it is not intended for.
The canonical way to handle this is to return an InputSource that provides 
an empty entity.  You could use a MemBufInputSource, or a 
LocalFileInputSource with the name of a known, empty file.

The only caveat is that substituting an empty entity for the proper one can 
lead to subtle differences in behavior or to errors.  For example, a DTD 
that contains default attributes will provided a different information set 
than a substitute empty DTD.

Dave
[prev in list] [next in list] [prev in thread] [next in thread]