Thanks for the explanation, but I still don't quite understand...
You guessed correctly that I use a "SYSTEM" DTD declaration, but I'm
confused as to what you mean when you say the "current working directory"
isn't the same as the temporary directory created to run the process
command. I hadn't assumed that it was - I thought that it would be the same
as the current working directory of the document into which the exported
content is being pasted.
- My original document has a SYSTEM DTD declaration let's say
<!DOCTYPE foo SYSTEM "bar.dtd">
- I export some of it using copyDocument, which generates a document
with an effectively identical DTD declaration:
<!DOCTYPE foobar SYSTEM "bar.dtd">
- I then read in the exported document using the read command and try to
paste it using the paste command. The DTD path specified in the clipboard
contents is (I assume) identical to the DTD path in the main document -
why is there a problem?
Regards,
Kevin Flynn
Birdstep Technology ASA
Oslo, Norway
+47 93433942
-----Original Message-----
From: Hussein Shafie [mailto:[email protected]]
Sent: Friday, January 28, 2005 10:30 AM
To: Kevin Flynn
Cc: xmleditor-support at xmlmind.com
Subject: Re: [XXE] Paste command limitation
Kevin Flynn wrote:
> It's tempting to assume (I did) that any document content exported to a
> file using "copyDocument" can be re-imported to the same location using
> the "read" and "paste" commands. This is not, however, the case. Content
> exported by "copyDocument" includes a DTD declaration, and unless this
> declaration is removed, the content cannot be re-imported using "read"
> and "paste". If the exported content is processed by an XSL
> transformation before import, then the DTD declaration is automatically
> removed. If, however, some other method is used to modify the exported
> content, then the declaration will need to be explicitly removed.
>
>
>
> As far as I can see, this limitation is not documented, and it's just
> taken me a _long_ time to find it out, so I think it would be useful to
> document it in an appropriate location. Or maybe the "paste" command
> could be modified to ignore any DTD declaration?
Command "paste"
(http://www.xmlmind.com/xmleditor/_distrib/docs/commands/ch06s34.html)
can paste the string passed in its parameter (in your case, this string
is loaded by process command item "read" --
http://www.xmlmind.com/xmleditor/_distrib/docs/commands/ch05s01s08.html)
or the string found in the system clipboard.
* If this string starts with "<?xml " *and* can be parsed as XML, then
XXE considers that the string represents XML nodes.
The string is parsed using the current working directory as its base URL
(which is used to resolve relative URLs contained in the string).
* Otherwise, XXE considers that this string is plain text.
Let's say that this string contains '<!DOCTYPE foo SYSTEM "bar.dtd">',
XXE will not be able to parse it as XML unless there is a file called
"bar.dtd" in the current working directory.
Note that the current working directory is *not* the temporary directory
created to run the process command.
Therefore, the only solution is to use doctypes such as '<!DOCTYPE foo
PUBLIC 'my/bar' "bar.dtd">', in conjunction with an XML catalog
containing an entry for 'my/bar'.
---
PS: I've never tested what I have said but if this does not work, just
tell us about it, and we'll fix this bug.
