Re: XML size validations
Hello, Joseph Kesselman wrote on 7. Mar 2024 19:41 (GMT +01:00): > What concerns are you actually trying to address? The main concern here typically are DOS protection and generally constrained Resource usage when libraries parse and execute things. … > And I *think* I remember Xerces adding the ability to limit depth of > parsed entity recursion, if you're worried about abuse of those. Yes Xerces has the Security Manager, and the JDK jax-p makes use of that with stricter defaults for them when FEATURE_SECURE_PROCESSING is requested. The secureValues of the limits are used then: https://github.com/openjdk/jdk/blob/7c5e6e74c8f559be919cea63ebf7004cda80ae75/src/java.xml/share/classes/jdk/xml/internal/XMLSecurityManager.java#L139 When you go Jackson or DOM all is pretty bleak, however. And you still need to do accounting of allocations in your own code and handlers. Gruß Bernd — https://bernd.eckenfels.net - To unsubscribe, e-mail: j-users-unsubscr...@xerces.apache.org For additional commands, e-mail: j-users-h...@xerces.apache.org
Re: XML size validations
What concerns are you actually trying to address? For SAX, document length could be limited by running tests in the handler and throwing an exception if "reasonable" count or time is exceeded. And I *think* I remember Xerces adding the ability to limit depth of parsed entity recursion, if you're worried about abuse of those. But as far as I know, Validation, in the sense defined by the XML Recommendations, does not have size or time constraints, only content constraints. -- /_ Joe Kesselman (he/him/his) -/ _) My Alexa skill for New Music/New Sounds fans: / https://www.amazon.com/dp/B09WJ3H657/ Caveat: Opinionated old geezer with overcompensated writer's block. May be redundant, verbose, prolix, sesquipedalian, didactic, officious, or redundant. From: Elliotte Rusty Harold Sent: Thursday, March 7, 2024 7:51:20 AM To: j-...@xerces.apache.org Cc: j-users@xerces.apache.org Subject: Re: XML size validations Not at the level of XML with standard tools. That is, not really if by validation you specifically mean validation as defined by the XML specification. If you mean validation more generically, then it's up to the code you write. On Thu, Mar 7, 2024 at 9:03 AM Sudhish Nair wrote: > > Hello Team, > > Is it possible to implement validations on the basis of XML size or time > taken to parse the XML file? > > Regards, -- Elliotte Rusty Harold elh...@ibiblio.org - To unsubscribe, e-mail: j-users-unsubscr...@xerces.apache.org For additional commands, e-mail: j-users-h...@xerces.apache.org
Re: XML size validations
Not at the level of XML with standard tools. That is, not really if by validation you specifically mean validation as defined by the XML specification. If you mean validation more generically, then it's up to the code you write. On Thu, Mar 7, 2024 at 9:03 AM Sudhish Nair wrote: > > Hello Team, > > Is it possible to implement validations on the basis of XML size or time > taken to parse the XML file? > > Regards, -- Elliotte Rusty Harold elh...@ibiblio.org - To unsubscribe, e-mail: j-users-unsubscr...@xerces.apache.org For additional commands, e-mail: j-users-h...@xerces.apache.org
