From 5e527213a2430bb3018e5eebd909aef294edf9b5 Mon Sep 17 00:00:00 2001 From: Karen Arutyunov Date: Fri, 18 Dec 2020 18:48:46 +0300 Subject: Switch to build2 --- xsd-examples/cxx/tree/secure/README | 41 +++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 xsd-examples/cxx/tree/secure/README (limited to 'xsd-examples/cxx/tree/secure/README') diff --git a/xsd-examples/cxx/tree/secure/README b/xsd-examples/cxx/tree/secure/README new file mode 100644 index 0000000..649f0a3 --- /dev/null +++ b/xsd-examples/cxx/tree/secure/README @@ -0,0 +1,41 @@ +This example shows how to perform more secure XML parsing by disabling +the XML External Entity (XXE) Processing. If XML Schema validation is +used, then it would also make sense to pre-load the known schemas and +to disable loading of any external schemas, for example, via the +schemaLocation attribute found in the XML documents. See the comment +in driver.cxx for more information on how to achieve this. + +The example consists of the following files: + +library.xsd + XML Schema which describes a library of books. + +library.xml + Sample XML instance document. It includes (commented out) DOCTYPE + declarations with internal and external subsets that the parser + will refuse to process. + +library.hxx +library.cxx + C++ types that represent the given vocabulary and a set of parsing + functions that convert XML instance documents to a tree-like in-memory + object model. These are generated by the XSD compiler from library.xsd. + +secure-dom-parser.hxx +secure-dom-parser.cxx + A secure Xerces-C++ DOM parser implementation that disables processing + of internal/external DTD subsets. + +driver.cxx + Driver for the example. It first sets up the secure DOM parser. It then + parses the input file to a DOM document using the secure DOM parser and + calls one of the parsing functions that constructs the object model from + this DOM document. Finally, the driver prints a number of books in the + object model to STDERR. + +To run the example on the sample XML instance document simply execute: + +$ ./driver library.xml + +To verify that DTD processing is disabled, uncomment a different DOCTYPE +version in the sample document. -- cgit v1.1