santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chad La Joie <>
Subject Re: XML Security Java 1.5.0-RC1 available
Date Tue, 20 Dec 2011 16:14:51 GMT
Okay, so what you've just said is that you can use schema validation
and xmlsec together.  Is that really what is intended?

On Tue, Dec 20, 2011 at 11:12, Sean Mullan <> wrote:
> The code does still call DOM Document.getElementById, but how does that make
> it possible to do an attack? The trusted validation code should be creating
> the Document and registering the IDs. If you are letting untrusted code
> create the Document for you and register arbitrary IDs, then that is a bug.

Chad La Joie
trusted identities, delivered

View raw message