1 |
Hi, |
2 |
|
3 |
The spec is a bit lax about the XML features allowed. However, we don't |
4 |
really expect people to use fancy features like custom entities, |
5 |
XInclude, etc. Let's formally stricten the spec to disallow anything |
6 |
remote or potentially dangerous to at least protect implementations |
7 |
from the most common XML security problems. |
8 |
|
9 |
While at it, let's make it clear that while we don't permit elements |
10 |
outside the spec in metadata.xml files, we may add new elements or |
11 |
attributes in future versions. |
12 |
|
13 |
I'm not sure whether we should be increasing the version number here. |
14 |
On one hand, the change roughly matches the original intent (i.e. no |
15 |
metadata.xml files should be broken by it, and implementation should not |
16 |
have been processing external DTDs or anything like that anyway). |
17 |
On the other, technically speaking the new version is more restrictive |
18 |
than the old one, so a major version bump would be correct. |
19 |
|
20 |
WDYT? |
21 |
|
22 |
|
23 |
Michał Górny (2): |
24 |
glep-0068: Clarify and restrict XML data format |
25 |
glep-0068: Indicate that unknown elements should be ignored |
26 |
|
27 |
glep-0068.rst | 21 +++++++++++++++------ |
28 |
1 file changed, 15 insertions(+), 6 deletions(-) |
29 |
|
30 |
-- |
31 |
2.38.0 |