1 |
From 5dd52182972a35f2251a07784eda35d3d52d3e07 Mon Sep 17 00:00:00 2001 |
2 |
From: Sebastian Pipping <sebastian@pipping.org> |
3 |
Date: Tue, 1 Mar 2022 23:02:34 +0100 |
4 |
Subject: [PATCH] lib: Document namespace separator effect right in header |
5 |
<expat.h> |
6 |
|
7 |
--- |
8 |
expat/lib/expat.h | 5 +++++ |
9 |
1 file changed, 5 insertions(+) |
10 |
|
11 |
--- a/lib/expat.h |
12 |
+++ b/lib/expat.h |
13 |
@@ -227,6 +227,12 @@ XML_ParserCreate(const XML_Char *encodin |
14 |
It is a programming error to use the separator '\0' with namespace |
15 |
triplets (see XML_SetReturnNSTriplet). |
16 |
|
17 |
+ If a namespace separator is chosen that can be part of a URI or |
18 |
+ part of an XML name, splitting an expanded name back into its |
19 |
+ 1, 2 or 3 original parts on application level in the element handler |
20 |
+ may end up vulnerable, so these are advised against; sane choices for |
21 |
+ a namespace separator are e.g. '\n' (line feed) and '|' (pipe). |
22 |
+ |
23 |
Note that Expat does not validate namespace URIs (beyond encoding) |
24 |
against RFC 3986 today (and is not required to do so with regard to |
25 |
the XML 1.0 namespaces specification) but it may start doing that |