English 中文(简体)
Using CDATA element in XML is vulnerable or not?
原标题:
  • 时间:2009-11-13 11:02:06
  •  标签:
  • xml
  • cdata

Is it a vulnerable using CDATA element in XML documents? If so what happens if we use CDATA element in XML documents?

最佳回答

I don t know what you mean by ‘vulnerability’, but there is one mistake many people make with CDATA sections. This happens when a lazy programmer doesn t really understand text-escaping, and tries to avoid the normal process of &-encoding special characters in XML. They think they can get away with:

print "<element><![CDATA["+textstring+"]]></element>";

and whilst this will indeed stop a < or & character in textstring being treated as markup, it s not watertight because textstring might contain a ]]> sequence, resulting in:

<element><![CDATA[ Foo ]]> <bar>I m an unexpected element!</bar> ]]></element>

This is an XML-injection, which like an HTML-injection could potentially have an XSS-like security impact.

So you d still need to escape some sequences in CDATA (usually, you would split a ]]> sequence between two CDATA sections). In practice that makes using CDATA no easier than just &-encoding your text content the normal way. So really there is no reason ever to use a CDATA section.

问题回答

A CDATA section is simply another way of representing character data within an XML document. It means exactly the same thing as any other (non-tag) text in a document, except that it s escaped differently.

There is no extra "vulnerability" associated with CDATA (except for bugs in your XML parsing library, of course).

Vulnerable to what? An injection attack of some kind? CDATA tells the parser to pass the contents without parsing it, so if you re validating your XML I suppose the CDATA section misses out on the validation step.

The code that uses the XML stream should have some kind of business validation above and beyond the schema validation, so you re only at risk if you fail to check inputs before you use them.





相关问题
how to represent it in dtd?

I have two element action and guid. guid is a required field when action is add. but when action is del it will not appear in file. How to represent this in dtd ?

.Net application configuration add xml-data

I need to add xml-content to my application configuration file. Is there a way to add it directly to the appSettings section or do I need to implement a configSection? Is it possible to add the xml ...

XStream serializing collections

I have a class structure that I would like to serialize with Xstream. The root class contains a collection of other objects (of varying types). I would like to only serialize part of the objects that ...

MS Word splits words in its XML format

I have a Word 2003 document saved as a XML in WordProcessingML format. It contains few placeholders which will be dynamically replaced by an appropriate content. But, the problem is that Word ...

Merging an XML file with a list of changes

I have two XML files that are generated by another application I have no control over. The first is a settings file, and the second is a list of changes that should be applied to the first. Main ...

How do I check if a node has no siblings?

I have a org.w3c.dom.Node object. I would like to see if it has any other siblings. Here s what I have tried: Node sibling = node.getNextSibling(); if(sibling == null) return true; else ...

Ordering a hash to xml: Rails

I m building an xml document from a hash. The xml attributes need to be in order. How can this be accomplished? hash.to_xml

热门标签