Marshall Rose wrote:
it isn't clear to me that the particular exploits you mention are
xml-specific or specific to a particular implementation.
i think that a carefully written implementation of an xml-parser is
likely to be resilient to all kinds of malicious nonsense; similarly, i
think that an implementation that isn't carefully written can have
problems.
i think i can
s/xml/current spf syntax/g
however, the assumption is flawed because while theorists may be
interested in provably perfect systems, experienced practitioners are
not.
The debating technique of turning the opposition's statement into an absurd
absolute can be found in the book "Dilbert and the Way of the Weasel". A good
read (and no, I'm not implying anyone here is a weasel).
The argument was never this absurd absolute:
XML-syntax has exploits, SPF-syntax can never have exploits. Therefore, we
should use SPF because we want a perfect system.
It was:
XML-syntax, because it is more complicated, is more likely to have exploits.
Several XML exploits are already known on multiple platforms. SPF-syntax is
much, much simpler, and thus is less likely to have exploits. Therefore, SPF is
preferable because we want a system which is less likely to have exploits.
Michael R. Brumm