Slash Boxes
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
More | Login | Reply
Loading... please wait.
  • This is old old news. I first thought about this when I was developing my first XML applications back in 1998. I think we probably talked about it on the perl-xml list back then, but I don't recall - it's a long time!

    Anyway, I guess the issue is still a relatively minor security issue for most systems. I can see it being mainly a "discovery" mechanism, rather than an exploitation mechanism. You might conceivably be able to get some system to send back an error in the case of invalid content, which contains
    • I had been under the (misguided) impression that entity resolution and validation were somehow linked, and that not providing the one (validation) meant you weren't doing the other.

      It was a simple-enough fix, but since my server classes proudly identify themselves in headers, I didn't want anyone being left vulnerable.