External parsed entities in the internal DTD subset of an SVG content document #1355
Comments
|
The solution proposed by the WG being in #1338 (comment), I agree with Makoto that the sample above is compliant with this proposal BUT causes problems to offline reading systems (especially if "desc.ent" is replaced by a full URL) and can trigger XML external entities attacks, therefore should not be compliant with the EPUB spec. |
|
Another example for an XHTML use case (why only SVG?). &t1;&p1; &p2;&t1;&p2; &p2;meins.dtd is a file in the EPUB archive with simple content like this: Ein Absatz repräsentiert einen abgeschlossenen Gedankengang."> Ein Dokument kann natürlich viele Absätze enthalten.">Of course, 'meins.dtd' must not contain any URI/IRI references to external subsets . Presumably such construct would expose, if some user-agent, viewer or reading systems uses an HTML5 tag soup parser instead of the required XML parser ... |
|
Oh - the github parser seems to corrupt the example and these symbols to edit seem not to work in my browser - no accessible (unscripted) techniques available at github? ;o) |
|
Hopefully with entities it works better: <:?xml version="1.0" encoding="UTF-8" ?>: meins.dtd is a file in the EPUB archive with simple content like this: <:!ENTITY t1 "Hallo Welt!">: |
|
I'm trying to solve one issue at a time. Please start another thread for your question, since it is not about SVG. |
mattgarrish
added
Topic-ContentDocs
|
This issue was discussed in a meeting.
View the transcriptWendy Reid: we had resolutions at the F2F, and further discussions on github… and came to a happy place Matt Garrish: #1368 Matt Garrish: where we ended up was… … we put in an allowance for a specific set of external identifiers that we have put in an appendix … we have SVG and MathML that are allowed to be used in content docs or in separate files … and we made a restriction against external entities in the internal DTD subset … so it prevents some security issues but eases authoring … so we’ll no longer force people to remove SVG DTDs from tool-generated files … I’m hoping this is it :) Ivan Herman: tech comment … in fact, the changes are such that … makes possible something that I’m not sure we really use … I can define as part of an internal entity something that won’t go out to the network … I’m not sure if this feature is in use … formal comment … there was a formal resolution on the previous version; this PR slightly changes that … can we get a formal resolution to merge, and also close a bunch of issues which were examples of the problem? Proposed resolution: Merge PR #1368 to address outstanding DTD issues, and close GH issues 1369-1373 (Wendy Reid) Garth Conboy: +1 Matt Garrish: +1 Ivan Herman: +1 Charles LaPierre: +1 Matthew Chan: +1 Wendy Reid: +1 Brady Duga: +1 George Kerscher: +1 Laura Brady: +1 Bill Kasdorf: +1 Ben Schroeter: +1 Resolution #1: Merge PR #1368 to address outstanding DTD issues, and close GH issues 1369-1373 |
|
@wareid I believe this issue should be closed, too |
mattgarrish
added
EPUB33
In my understanding, EPUB 3.2 does not allow this XML document as an SVG content document.
Here
descis an external parsed entity declared in an internal DTD subset. The content ofdesc.ent is "<desc></desc>", possibly preceded by the XML declaration.
Do people agree that this is not an SVG content document, as specified in EPUB 3.0, 3.0.1, and
3.2? The proposed resolution (see #1354) appears to allow this as an SVG content document. Is this intentional?
The text was updated successfully, but these errors were encountered: