diff options
Diffstat (limited to 'xsd-examples/cxx/tree/secure/README')
-rw-r--r-- | xsd-examples/cxx/tree/secure/README | 57 |
1 files changed, 57 insertions, 0 deletions
diff --git a/xsd-examples/cxx/tree/secure/README b/xsd-examples/cxx/tree/secure/README new file mode 100644 index 0000000..7fa6445 --- /dev/null +++ b/xsd-examples/cxx/tree/secure/README @@ -0,0 +1,57 @@ +This example shows how to perform more secure XML parsing by disabling +the XML External Entity (XXE) Processing. If XML Schema validation is +used, then it would also make sense to pre-load the known schemas and +to disable loading of any external schemas, for example, via the +schemaLocation attribute found in the XML documents. See the comment +in driver.cxx for more information on how to achieve this. + +The example consists of the following files: + +library.xsd + XML Schema which describes a library of books. + +library.xml + Sample XML instance document. It includes (commented out) DOCTYPE + declarations with internal and external subsets that the parser + will refuse to process. + +library.hxx +library.cxx + C++ types that represent the given vocabulary and a set of parsing + functions that convert XML instance documents to a tree-like in-memory + object model. + + These files are generated by the XSD compiler from library.xsd using the + following command line: + + xsd cxx-tree library.xsd + +secure-dom-parser.hxx +secure-dom-parser.cxx + A secure Xerces-C++ DOM parser implementation that disables processing + of internal/external DTD subsets. + +driver.cxx + Driver for the example. It first sets up the secure DOM parser. It then + parses the input file to a DOM document using the secure DOM parser and + calls one of the parsing functions that constructs the object model from + this DOM document. Finally, the driver prints a number of books in the + object model to STDERR. + +To compile and link the example manually from the command line we can use +the following commands (replace 'c++' with your C++ compiler name): + +c++ -DXSD_CXX11 -c library.cxx +c++ -DXSD_CXX11 -c secure-dom-parser.cxx +c++ -DXSD_CXX11 -c driver.cxx +c++ -o driver driver.o library.o secure-dom-parser.o -lxerces-c + +Note that we need to define the XSD_CXX11 preprocessor macro since the +source code includes libxsd headers directly. + +To run the example on the sample XML instance document execute: + +./driver library.xml + +To verify that DTD processing is disabled, uncomment a different DOCTYPE +version in the sample document. |