-
Notifications
You must be signed in to change notification settings - Fork 70
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix to not allow parameter entity references at internal subsets #191
Fix to not allow parameter entity references at internal subsets #191
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wow!
Can we also check this in BaseParser
?
If we can do it, can we move the validation to #write
?
Do we need to update #unnormalized
and #normalized
too?
Lines 70 to 79 in e3f747f
# Evaluates to the unnormalized value of this entity; that is, replacing | |
# all entities -- both %ent; and &ent; entities. This differs from | |
# +value()+ in that +value+ only replaces %ent; entities. | |
def unnormalized | |
document.record_entity_expansion unless document.nil? | |
v = value() | |
return nil if v.nil? | |
@unnormalized = Text::unnormalize(v, parent) | |
@unnormalized | |
end |
Lines 83 to 87 in e3f747f
# Returns the value of this entity unprocessed -- raw. This is the | |
# normalized value; that is, with all %ent; and &ent; entities intact | |
def normalized | |
@value | |
end |
ee48121
to
5d75caf
Compare
I changed BaseParser to do this check.
I added validation to Entity.new.
Updated |
lib/rexml/entity.rb
Outdated
@@ -59,6 +60,10 @@ def initialize stream, value=nil, parent=nil, reference=false | |||
@name = stream | |||
@value = value | |||
end | |||
|
|||
if PEREFERENCE_RE.match?(@value) | |||
raise "Parameter Entity References forbidden in internal subset: #{@value}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- Could you use
ArgumentError
instead ofRuntimeError
? - Could you avoid needless capital case?
raise "Parameter Entity References forbidden in internal subset: #{@value}" | |
raise ArgumentError, "Parameter entity references forbidden in internal subset: #{@value}" |
BTW, do we need a validation here? This method document says the following:
+WARNING+: There is no validation of entity state except when the entity
is read from a stream. If you start poking around with the accessors,
you can easily create a non-conformant Entity.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
BTW, do we need a validation here?
OK.
I see.
We prefer not to add this validation in Entity.new
.
Similarly, I don't think this validation should be added to #write
.
What do you think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree with you.
## Why? In the internal subset of DTD, references to parameter entities are not allowed within markup declarations. See: https://www.w3.org/TR/xml/#wfc-PEinInternalSubset > Well-formedness constraint: PEs in Internal Subset > In the internal DTD subset, parameter-entity references MUST NOT occur within markup declarations; they may occur where markup declarations can occur. (This does not apply to references that occur in external parameter entities or to the external subset.)
5d75caf
to
eb73ef5
Compare
Thanks. |
Why?
In the internal subset of DTD, references to parameter entities are not allowed within markup declarations.
See: https://www.w3.org/TR/xml/#wfc-PEinInternalSubset