This is an automated email from the ASF dual-hosted git repository.
scantor pushed a commit to branch xerces-3.3
in repository https://gitbox.apache.org/repos/asf/xerces-c.git
The following commit(s) were added to refs/heads/xerces-3.3 by this push:
new d21ff07ee Some documentation updates.
d21ff07ee is described below
commit d21ff07ee9e3d2e0e9cde0faa25c217fbb40c6b1
Author: Scott Cantor <[email protected]>
AuthorDate: Wed Sep 25 11:46:34 2024 -0400
Some documentation updates.
---
doc/applications.xml | 16 ----------------
doc/program-others.xml | 24 ++++++++++++++++++++++++
doc/program.xml | 1 +
3 files changed, 25 insertions(+), 16 deletions(-)
diff --git a/doc/applications.xml b/doc/applications.xml
index 6ac303bed..6433a1443 100644
--- a/doc/applications.xml
+++ b/doc/applications.xml
@@ -55,21 +55,5 @@
to the W3C proposed recommendation of XQuery and XPath 2.0.</p>
</s3>
- <s3 title="XML Security for C++">
- <p><jump href="http://santuario.apache.org/";>XML Security
- for C++</jump> is an open-source implementation of the XML
- Digital Signature and Encryption specifications and is based
- on &XercesCName;. The library also provides support for
- serializing XML in the canonical form.</p>
- </s3>
-
- <s3 title="Shibboleth and OpenSAML">
- <p><jump href="http://www.shibboleth.net/";>Shibboleth</jump> is
- an open source Web Single Sign-On and Federation implementation
- that supports the SAML 2.0 and SAML 1.1 standards, among other
- capabilities. The Service Provider and underlying OpenSAML
- library use &XercesCName;.</p>
- </s3>
-
</s2>
</s1>
diff --git a/doc/program-others.xml b/doc/program-others.xml
index d65af85cd..89a2ac182 100644
--- a/doc/program-others.xml
+++ b/doc/program-others.xml
@@ -718,4 +718,28 @@
parser->getDomConfig()->setParameter(XMLUni::fgXercesSchema, doSchema);
</s2>
+ <anchor name="EntityResolution"/>
+ <s2 title="Entity Resolution and NetAccessors">
+
+ <p><strong>All Xerces applications that wish to limit a wide range of
security risks MUST install
+ appropriate implementations of API-specific "entity/resource
resolution" implementations to
+ govern/police the resolution of external entities by the
parser.</strong>
+ </p>
+
+ <p>In the event that an entity resolver wants to delegate the job of
resolving a particular resource
+ to the parser, Xerces will automatically handle local file references
but will delegate any non-local
+ file URLs to a <em>NetAccessor</em>, a plugin controlled at build time
supporting access to remote
+ systems. Most of the built-in implementations are limited, with the
principal exception of support
+ for <a href="https://curl.haxx.se";>libcurl</a> as an implementation,
which supports a wide range
+ of protocols, potentially including http over TLS, which is rarely
supported in other cases.</p>
+
+ <p>It is incredibly important to implement your own entity resolution
code to ensure that if you
+ allow the parser to perform its own resolution, it does so only under
conditions and against URLs
+ you trust. The library will <strong>NOT</strong> your application from
the many potential threats
+ arising from arbitrary resource resolution.</p>
+
+ <p>Notably, entity/resource resolver implementations can be
accompanied by changing the default
+ parser features to disallow "default" resolution, preventing the
parser from executing its own
+ NetAccessors to perform these lookups.</p>
+ </s2>
</s1>
diff --git a/doc/program.xml b/doc/program.xml
index 6c55d13aa..60cda6724 100644
--- a/doc/program.xml
+++ b/doc/program.xml
@@ -143,6 +143,7 @@ int main(int argc, char* argv[])
<li><jump
href="program-others-&XercesC3Series;.html#PluggablePanicHandler">Pluggable
Panic Handler</jump></li>
<li><jump
href="program-others-&XercesC3Series;.html#PluggableMemoryManager">Pluggable
Memory Manager</jump></li>
<li><jump
href="program-others-&XercesC3Series;.html#SecurityManager">Managing Security
Vulnerabilities</jump></li>
+ <li><jump
href="program-others-&XercesC3Series;.html#EntityResolution">Entity Resolution
and NetAccessors</jump></li>
</ul>
</s2>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
