The problem with not fetching external DTDs/parsed entities is that they can contain entity declarations that affect the way the document is parsed. So your document is valid, but because it references &someEntity; which was declared in external.dtd, it will generate an error because external.dtd wasn't retrieved. But I am still considering what the best default behavior is. At a minimum I think the caching behavior (for HTTP) will become default. Old XML and code should still work, unless it references an external DTD or contains an internal subset it doesn't conform to.
As for security, I already figured out how to secure the parser completely against every type of DoS attack (billion laughs, entity blowup, and so on) and will be adding that shorlty. I'm still considering what limits to impose on input. Right now there is already a three-deep limit on entity replacement. these limits will be configurable and removable. ----- Original Message ----- From: Igor Stasenko Sent: 01/06/14 11:25 AM To: Pharo Development List Subject: Re: [Pharo-dev] XMLParser Problem with SVG Hmm, my only question is about default behavior.Before it was not using/resolving any DTD links,and now it is... which means old code which was worked perfectly before, now will stop to function.So, maybe its worth to change the default behavior to be backwards compatible?Also, i'm not sure if it is good idea to go over a wire for an arbitrary content you can give to XMLDOMParser, imo this should be disabled by default, and instructed by user explicitly instead. Don't take me wrong: i really like that now we can handle DTD stuff properly, i'm only doubting current default way of handling it. On 6 January 2014 12:58, monty <monty...@engineer.com> wrote:You can use the DTDCachingEntityResolver to cache responses: resolver := DTDCachingEntityResolver new. then: (XMLDOMParser onFileNamed: 'lion.svg') externalEntityResolver: resolver; parseDocument. or you could just disable validation and external entity resolution altogether: (XMLDOMParser onFileNamed: 'lion.svg') isValidating: false; resolvesExternalEntities: false; parseDocument. if you're parsing a string or stream (and you can always create your own file stream and give it that), you can do everything with just one message: XMLDOMParser parse: xmlStringOrStream usingNamespaces: true; validation: false; externalEntities: false. This is all in the documentation for SAXHandler. ----- Original Message ----- From: J.F. RickSent: 01/06/14 04:37 AM To: Pharo Development ListSubject: Re: [Pharo-dev] XMLParser Problem with SVG Monty, thanks. You are right that the latest version of XMLParser fixes the parsing problem. I think you just need to upload an updated configuration to the MetaRepoForPharo30 to fix this. And, yes, I would like to know how to turn DTD parsing off or for it to cache the DTD as it takes several seconds to retrieve the DTD for SVG and that gets annoying. Cheers, Jeff On Mon, Jan 6, 2014 at 10:18 AM, Sven Van Caekenberghe <s...@stfx.eu> wrote: On 06 Jan 2014, at 10:06, Igor Stasenko <siguc...@gmail.com> wrote: > > > > On 5 January 2014 15:19, J.F. Rick <s...@je77.com> wrote:> I am trying to use > SVG with Athens; however, the XMLParser for Pharo 3.0 cannot read normal SVG > files that it used to. So, the demo of "ASVGMorph fromFile: 'lion.svg'" fails > in the XMLParser (i.e., before ASVGMorph really does anything to it). It > seems to download the DTD file from the Internet and then cannot properly > parse it. Here is my setup: > > Up-to-date Pharo 3.0. Added XMLParser from the Configuration Browser. > Example file can be found here: > http://www.thetangentbundle.net/w/images/f/ff/lion.svg > The following brings up an error: XMLDOMParser parseFileNamed: 'lion.svg' >> Hmm, why it tries to parse DTD file? It looks like something has changed in >> XMLDOMParser, because it wasn't before, and there is no support in SVG parser > for that. Yes, the parsing of DTD’d is new, Monthy added it recently. He says there is a way to turn it off. >> Cheers, > > Jeff > > -- > Jochen "Jeff" Rick, Ph.D. > http://www.je77.com/ > Skype ID: jochenrick > > >> -- > Best regards, > Igor Stasenko. -- Jochen "Jeff" Rick, Ph.D. http://www.je77.com/ Skype ID: jochenrick -- Best regards, Igor Stasenko.
