Orbeon Forms community mailing list - Re: Re: Re: Orbeon Nightly regression: DTD entity imports no longer working

Re: Re: Re: Orbeon Nightly regression: DTD entity imports no longer working

Posted by Erik Bruchez on Dec 16, 2010; 5:47am
URL: https://discuss.orbeon.com/Orbeon-Nightly-regression-DTD-entity-imports-no-longer-working-tp3085139p3090332.html

>> We just disabled loading of external entities for security reasons.
> Ouch :( Where is there a security issue here? The DTD itself is also loaded
> from the file system, triggered by the XML file.

Security issues occur when malicious users post XML to Orbeon Forms.
In that case, for sure, external entities should be disabled.

So we took the rather drastic step to disable them for now.

>> I guess that means we should provide an option to the URL generator
>> instead. The only problem is that the XML parser configuration is
>> really nasty (JAXP is a horrible thing).
>>
>> Do you have a workaround for this?
> Not really - this is already the workaround for eXist being unable to properly
> deal with entities ;-)

Mmh, this means that we probably need to implement some configuration
mechanism. The issue is that it will be take a bit of time to do this.

Unless you could use something like XInclude?

-Erik

>
> Kind regards,
> Ralf Jung
>
>
> --
> You receive this message as a subscriber of the [hidden email] mailing list.
> To unsubscribe: mailto:[hidden email]
> For general help: mailto:[hidden email]?subject=help
> OW2 mailing lists service home page: http://www.ow2.org/wws
>
>

--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
OW2 mailing lists service home page: http://www.ow2.org/wws