| 1 |
ns80 |
1790357 |
From 5dd52182972a35f2251a07784eda35d3d52d3e07 Mon Sep 17 00:00:00 2001 |
| 2 |
|
|
From: Sebastian Pipping <sebastian@pipping.org> |
| 3 |
|
|
Date: Tue, 1 Mar 2022 23:02:34 +0100 |
| 4 |
|
|
Subject: [PATCH] lib: Document namespace separator effect right in header |
| 5 |
|
|
<expat.h> |
| 6 |
|
|
|
| 7 |
|
|
--- |
| 8 |
|
|
expat/lib/expat.h | 5 +++++ |
| 9 |
|
|
1 file changed, 5 insertions(+) |
| 10 |
|
|
|
| 11 |
|
|
--- a/lib/expat.h |
| 12 |
|
|
+++ b/lib/expat.h |
| 13 |
|
|
@@ -227,6 +227,12 @@ XML_ParserCreate(const XML_Char *encodin |
| 14 |
|
|
It is a programming error to use the separator '\0' with namespace |
| 15 |
|
|
triplets (see XML_SetReturnNSTriplet). |
| 16 |
|
|
|
| 17 |
|
|
+ If a namespace separator is chosen that can be part of a URI or |
| 18 |
|
|
+ part of an XML name, splitting an expanded name back into its |
| 19 |
|
|
+ 1, 2 or 3 original parts on application level in the element handler |
| 20 |
|
|
+ may end up vulnerable, so these are advised against; sane choices for |
| 21 |
|
|
+ a namespace separator are e.g. '\n' (line feed) and '|' (pipe). |
| 22 |
|
|
+ |
| 23 |
|
|
Note that Expat does not validate namespace URIs (beyond encoding) |
| 24 |
|
|
against RFC 3986 today (and is not required to do so with regard to |
| 25 |
|
|
the XML 1.0 namespaces specification) but it may start doing that |
Parent Directory
| 
Revision Log