santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chad La Joie <laj...@itumi.biz>
Subject Re: XML Security Java 1.5.0-RC1 available
Date Tue, 20 Dec 2011 16:14:51 GMT
Okay, so what you've just said is that you can use schema validation
and xmlsec together.  Is that really what is intended?

On Tue, Dec 20, 2011 at 11:12, Sean Mullan <sean.mullan@oracle.com> wrote:
> The code does still call DOM Document.getElementById, but how does that make
> it possible to do an attack? The trusted validation code should be creating
> the Document and registering the IDs. If you are letting untrusted code
> create the Document for you and register arbitrary IDs, then that is a bug.


-- 
Chad La Joie
www.itumi.biz
trusted identities, delivered

Mime
View raw message