summaryrefslogtreecommitdiff
path: root/examples/cxx/tree/secure/README
diff options
context:
space:
mode:
Diffstat (limited to 'examples/cxx/tree/secure/README')
-rw-r--r--examples/cxx/tree/secure/README41
1 files changed, 41 insertions, 0 deletions
diff --git a/examples/cxx/tree/secure/README b/examples/cxx/tree/secure/README
new file mode 100644
index 0000000..649f0a3
--- /dev/null
+++ b/examples/cxx/tree/secure/README
@@ -0,0 +1,41 @@
+This example shows how to perform more secure XML parsing by disabling
+the XML External Entity (XXE) Processing. If XML Schema validation is
+used, then it would also make sense to pre-load the known schemas and
+to disable loading of any external schemas, for example, via the
+schemaLocation attribute found in the XML documents. See the comment
+in driver.cxx for more information on how to achieve this.
+
+The example consists of the following files:
+
+library.xsd
+ XML Schema which describes a library of books.
+
+library.xml
+ Sample XML instance document. It includes (commented out) DOCTYPE
+ declarations with internal and external subsets that the parser
+ will refuse to process.
+
+library.hxx
+library.cxx
+ C++ types that represent the given vocabulary and a set of parsing
+ functions that convert XML instance documents to a tree-like in-memory
+ object model. These are generated by the XSD compiler from library.xsd.
+
+secure-dom-parser.hxx
+secure-dom-parser.cxx
+ A secure Xerces-C++ DOM parser implementation that disables processing
+ of internal/external DTD subsets.
+
+driver.cxx
+ Driver for the example. It first sets up the secure DOM parser. It then
+ parses the input file to a DOM document using the secure DOM parser and
+ calls one of the parsing functions that constructs the object model from
+ this DOM document. Finally, the driver prints a number of books in the
+ object model to STDERR.
+
+To run the example on the sample XML instance document simply execute:
+
+$ ./driver library.xml
+
+To verify that DTD processing is disabled, uncomment a different DOCTYPE
+version in the sample document.