> I was presented with some questions regarding XML and was wondering if there > are any setting in Coldfusion to > disable any of these or I do not need to worry about it since we do not use > any XML in our code: > > 1. How application employs methods for XML schema validation. > 2. How application disables use of inline XML Document Type Definition (DTD) > schemas in XML parsing objects. > 3. How application manages DTD parsing behavior as a key to preventing the > invocation of XML bombs. > > Is it safe to say IF we were to use XML we could use the XML validation > function built in CF9?
Honestly, I don't know whether CF's validation would prevent any of these issues. CF's parser does allow you to declare DTD entities directly within an XML document, I think. You'd need to pre-parse the document yourself to prevent this, perhaps. But since your application doesn't use XML, your best bet is to say just that, and no more. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsi ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350660 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
