[lxml-dev] Network downloading of schemas should be off by default?
Right now, AFAICT, is is on by default in lxml.etree.XMLParser. Network queries by library code are a bad idea: it's an unexpected behavior, causing potential security risk and guaranteed performance problems. -- Itamar Shtull-Trauring http://itamarst.org
On 6/1/07, Itamar Shtull-Trauring <itamar@itamarst.org> wrote:
Right now, AFAICT, is is on by default in lxml.etree.XMLParser. Network queries by library code are a bad idea: it's an unexpected behavior, causing potential security risk and guaranteed performance problems.
I actually like the way the SAX interface handles this; you provide something that resolves references however you want, and it uses that. -Fred -- Fred L. Drake, Jr. <fdrake at gmail.com> "Chaos is the score upon which reality is written." --Henry Miller
Hi, Itamar Shtull-Trauring wrote:
Right now, AFAICT, is is on by default in lxml.etree.XMLParser. Network queries by library code are a bad idea: it's an unexpected behavior, causing potential security risk and guaranteed performance problems.
It's straight forward to switch it off, but I agree that it would be good to have it disabled by default. Loading DTDs is off by default also, so that fits. We should change the default behaviour for 2.0. Stefan
participants (3)
-
Fred Drake -
Itamar Shtull-Trauring -
Stefan Behnel