1 |
ns80 |
1790357 |
From 5dd52182972a35f2251a07784eda35d3d52d3e07 Mon Sep 17 00:00:00 2001 |
2 |
|
|
From: Sebastian Pipping <sebastian@pipping.org> |
3 |
|
|
Date: Tue, 1 Mar 2022 23:02:34 +0100 |
4 |
|
|
Subject: [PATCH] lib: Document namespace separator effect right in header |
5 |
|
|
<expat.h> |
6 |
|
|
|
7 |
|
|
--- |
8 |
|
|
expat/lib/expat.h | 5 +++++ |
9 |
|
|
1 file changed, 5 insertions(+) |
10 |
|
|
|
11 |
|
|
--- a/lib/expat.h |
12 |
|
|
+++ b/lib/expat.h |
13 |
|
|
@@ -227,6 +227,12 @@ XML_ParserCreate(const XML_Char *encodin |
14 |
|
|
It is a programming error to use the separator '\0' with namespace |
15 |
|
|
triplets (see XML_SetReturnNSTriplet). |
16 |
|
|
|
17 |
|
|
+ If a namespace separator is chosen that can be part of a URI or |
18 |
|
|
+ part of an XML name, splitting an expanded name back into its |
19 |
|
|
+ 1, 2 or 3 original parts on application level in the element handler |
20 |
|
|
+ may end up vulnerable, so these are advised against; sane choices for |
21 |
|
|
+ a namespace separator are e.g. '\n' (line feed) and '|' (pipe). |
22 |
|
|
+ |
23 |
|
|
Note that Expat does not validate namespace URIs (beyond encoding) |
24 |
|
|
against RFC 3986 today (and is not required to do so with regard to |
25 |
|
|
the XML 1.0 namespaces specification) but it may start doing that |