The documentation for XML_ParserCreateNS says for the sep parameter "you should pick a character for sep that can't be part of a legal URI".
This is a very bad suggestion, for example, the test suite uses the space character and Google code search suggests other people are using among other things "|", "!", "#", "&", ":", "/", and tab.
It is true that legal URIs cannot contain some of these characters such as space and tab, but xmlns attributes certainly can and Expat does not filter them out. Poorly written name expansion code is so easily vulnerable to attack.
Instead, the documentation should strongly recommend against using any of these characters and recommend to use a character that cannot occur in XML_Char arrays. In particular, -1 and WCHAR_MAX cannot occur because UTF-8 prohibits 0xFF and XML prohibits U+FFFF. Another suggestion would be 0x01 if Expat will never support XML 1.1.
Log in to post a comment.