undefined | Better HN

0 pointsjerf11y ago0 comments

Ironically, using an existing parser is what opens you to this vulnerability in the first place. If you hack your own together based on a vague idea of what XML really is, you're very unlikely to "correctly" handle entities, you'll probably just put in enough to handle simple XHTML entities, and that makes you immune to this problem! It's the compliant parsers that are vulnerable to this....

0 comments

Peaker11y ago

Or, if you use existing parsers in a language like Haskell, you know parsing is supposed to be a pure function. If parsing suddenly requires IO effects, you can be suspicious and try to figure out what is going on.

gamegoblin11y ago

Even with haskell, someone could sneak in a performUnsafeIO call if you aren't careful. Of course this is trivial to detect with compiler flags etc.

Peaker11y ago

We're not talking about a malicious XML library here, though. We're talking about a misunderstanding regarding what happens during legitimate parsing of XML.

1 more reply

jrockway11y ago

More likely, they'll just write bindings to libxml2.

1 more reply

j / k navigate · click thread line to collapse

0 pointsjerf11y ago0 comments

0 comments

Peaker11y ago

gamegoblin11y ago

Even with haskell, someone could sneak in a performUnsafeIO call if you aren't careful. Of course this is trivial to detect with compiler flags etc.

Peaker11y ago

We're not talking about a malicious XML library here, though. We're talking about a misunderstanding regarding what happens during legitimate parsing of XML.

1 more reply

jrockway11y ago

More likely, they'll just write bindings to libxml2.

1 more reply

j / k navigate · click thread line to collapse