[OSM-dev] Invalid XML?
Frederik Ramm
frederik at remote.org
Thu Sep 11 07:54:15 BST 2008
Hi,
Florian Lohoff wrote:
> Its not that the xml is broken afterwards but people could start putting
> bad things into the database by closing a tag and reopening a new one.
Excuse me? How do you think that could happen?
The backslash has no special meaning in XML, it is just a character like
any other. It does not require escaping.
There is no XML injection attack possible here because any XML you try
to inject would either have to be quoted properly, in which case it will
just sit there as plain strings, or if it isn't quoted then it will not
be inserted verbatim. (It will either fail to parse, or if it is
structured in a way that it the XML is valid and contains superfluous
tags, these will probably be dropped silently as we don't validate to a
schema or DTD.)
If you belive there is a way to put "bad things" into the database, try
it out and show us results.
Bye
Frederik
More information about the dev
mailing list