Re: [Sax-devel] setEntityResolver(null)
Brought to you by:
dmegginson
From: Miles S. <mi...@mi...> - 2003-04-03 10:16:18
|
Karl Waclawek wrote, > Personally I believe that entity resolving is not a parser's job. > From a programmer's view I think that separation of concerns > is a good principle and should apply here too. In other words, > there should not be any built-in entity resolving, but rather some > separate default implementation, just the way you thought it worked. I would prefer this as well. But there are too many applications which rely on default entity resolution for it to be possible to declare now that the default policy is not to resolve. I think what we need is a clear and prominent statement in the Javadoc of the default policy, along with a warning along the lines of, This implies that by default an XMLReader will make outgoing network connections to resolve external entities. Consequently either you should ensure that input documents only contain trustworthy and reliable external entity URIs, or you should replace the default entity resolver with one which allows your application to have more precise control over entity resolution. maybe with a brief sketch of what "trustworthy" and "reliable" mean, and the possible consequences of attempting to resolve via an untrustworthy or unreliable URI. It probably needs to go in the class-level Javadoc for XMLReader. Cheers, Miles |