santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Cantor, Scott" <canto...@osu.edu>
Subject Re: Question about IdResolver.getElementById()
Date Wed, 16 Nov 2011 17:41:36 GMT
On 11/16/11 12:37 PM, "Yang Yu" <yyu008@gmail.com> wrote:

>In org.apache.xml.security.utils.IdResolver.getElementById(Document doc,
>String id), I'm wondering why it's necessary to do a exhaustive search by
>calling:
>
>result = IdResolver.getElementBySearching(doc, id);
>
>Do you see any harm if I comment out this line? Because I notice that the
>Element is always found by the first call:
>
>Element result = IdResolver.getElementByIdType(doc, id);

IDness is an extremely complex issue. Unless you have schema validation,
or extensive content knowledge, you can't know what IDs are present, and
getElementById won't succeed.

But in turn, searching for Ids is, in general, wrong. It's essentially
insecure, and if there's still a feature doing that by default, there's a
bug. The wrapping attacks proved that once and for all (I hope).

-- Scott


Mime
View raw message