Re: Validing parser required?

[Michael Champion <mc@xxxxxxxxxxx>]

On Jul 2, 2004, at 11:02 AM, Sam Ruby wrote:

> As I said, I would like to see Atom "cleanly and thoroughly 
> specified".  People should not be required to use a validating parser 
> simply because the spec is silent on whether this is allowed or not, 
> and therefore must be allowed.
>
> One way to handle this is the way SOAP[5] does :

SOAP 1.2 has much more explicit language about the non-requirement for 
runtime validation that you may wish to borrow. 
http://www.w3.org/TR/soap12-part1/#reltoxml

> > A SOAP message MUST NOT contain a Document Type Declaration.

At least in SOAP 1.2, this is not to prevent a requirement for runtime 
validation but to align SOAP on a subset of XML that does not contain 
entity declarations or references to any other then the built-in XML 
entities.  That is for performance and security reasons that may or may 
not apply to Atom.  This is the mother of permathreads in the SOAP 
world -- while I will strongly defend the removal of entities from 
SOAP, I am not prepared to do that for Atom.  On the other hand, you 
may wish to consider the "billion laughs" XML denial of service attack 
http://www.securityfocus.com/archive/1/303509/2002-12-13/2002-12-19/0 
and determine how / whether to address it in Atom.  Forbidding DTDs is 
at least a simple way of doing this, but again the cost for Atom is 
probably prohibitive.  (Anticipating much stronger statement of this 
from Elliotte Rusty Harold  ... <grin> )