Re: well-formedness error

[Walter Underwood <wunder@xxxxxxxxxx>]

--On Thursday, June 17, 2004 12:06 AM -0700 Tim Bray <Tim.Bray@xxxxxxx> wrote:
>
> I generally find it hard to get upset about this, since *if* the body
> is XML, if the software cheerfully ignores the headers and points an
> XML parser at it, the encoding will get sorted out and everything will
> just work. 

Most of the time, yes.

I find it confusing to define "well-formed XML" with respect to 
external encoding information, so I'll propose alternate terms.

well-formed XML: the XML payload of the HTTP request or response,
taken in isolation, meets the requirements for "well-formed" in
the XML 1.0 spec.

HTTP-correct: the HTTP headers and XML payload together meet the
requirements of RFC 3023 "XML Media Types" and RFC 3470, "Guidelines
for the Use of Extensible Markup Language (XML) within IETF Protocols".

Atom-valid: the HTTP headers and XML (or other) payload meet the
requirements of the Atom spec.

> However, smarter people than I have said that ignoring the Content-type
> is a potentially rich source of security holes.

It is a foolish but common practice. One vulnerability caused by this
involves guessing something is HTML then interpreting the scripts
in it. See CAN-2001-0712 for more info. I believe there is a recent
patch for this, but it is Windows-only. No fix for MSIE on Mac.

wunder
--
Walter Underwood
Principal Architect, Verity