Cantor, Scott <canto...@osu.edu> writes: > On 10/10/22, 10:14 AM, "Boris Kolpackov" <bo...@codesynthesis.com> wrote: > > > What would be the other options for XML Schema validation usable > > from C++? > > Libxml2? > > Says it supports XML Schema 1.0 (which is all Xerces ever did AFAIK).
Last time I checked (which was admittedly a few years ago), while they listed XML Schema support on their front page, if you dug deeper, it quickly became apparent that support was WIP/incomplete. I did a bit of searching now and the best documentation I could find is this man page, which still says it is incomplete: https://gnome.pages.gitlab.gnome.org/libxml2/devhelp/libxml2-xmlschemas.html > It is hardly unusual to find that the best option to do something in > C++ is to use a C library. I don't know, in this case Xerces-C++ support and especially documentation look miles ahead. > > And, no, rewriting everything in a different language just because > > Xerces-C++ has some bugs is not a sensible step. > > That is a matter of opinion, because if a security bug pops up (*) that > nobody can fix, you (and I) are going to be in a very, very bad position. > Moving to a different language is the only sensible option if in fact > there is nothing else to use, and I am doing exactly that, despite the > many hours it will take. Not every application that uses Xerces-C++ is security sensitive. In fact, IMO, it's insane to parse untrusted XML regardless of the implementation/language used -- the format is just too complex to have any trust in the implementation. Also note that if you think Xerces-C++ is somehow exceptionally bad, you are mistaken. We are also packaging Expat and it's a constant stream of CVEs. And if you think since it's actively maintained (which it is), those CVEs are promptly patched, you are mistaken again: it's pretty common for the release to appear weeks after the CVEs is fixed in the repository. --------------------------------------------------------------------- To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
