diff options
Diffstat (limited to 'libxsde/xsde/c/expat/expat.h')
| -rw-r--r-- | libxsde/xsde/c/expat/expat.h | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/libxsde/xsde/c/expat/expat.h b/libxsde/xsde/c/expat/expat.h index f61d3fe..1d01773 100644 --- a/libxsde/xsde/c/expat/expat.h +++ b/libxsde/xsde/c/expat/expat.h @@ -215,6 +215,17 @@ XML_ParserCreate(const XML_Char *encoding); and the local part will be concatenated without any separator. It is a programming error to use the separator '\0' with namespace triplets (see XML_SetReturnNSTriplet). + If a namespace separator is chosen that can be part of a URI or + part of an XML name, splitting an expanded name back into its + 1, 2 or 3 original parts on application level in the element handler + may end up vulnerable, so these are advised against; sane choices for + a namespace separator are e.g. '\n' (line feed) and '|' (pipe). + + Note that Expat does not validate namespace URIs (beyond encoding) + against RFC 3986 today (and is not required to do so with regard to + the XML 1.0 namespaces specification) but it may start doing that + in future releases. Before that, an application using Expat must + be ready to receive namespace URIs containing non-URI characters. */ XMLPARSEAPI(XML_Parser) XML_ParserCreateNS(const XML_Char *encoding, XML_Char namespaceSeparator); |