[jdev] Driving/Routing directions via XMPP
Richard Dobson
richard at dobson-i.net
Tue Aug 17 09:10:17 CDT 2004
>> <iq
>> to='lbs at movsoftware.com/lbs'
>> from=' juliet at capulet.com/balcony'
>> type='get'
>> id='route1'>
>> <query xmlns='http://www.movsoftware.com/protocol/routing'>
>> <src street= '4555 Main Street ' city='Philadelphia' state = 'PA'
>> country='USA' code='19117'/ >
>> <dst street= '9000 West Elm Street ' city='Philadelphia' state = 'PA'
>> country='USA' code='19117'/ >
>
> Careful of the inconsistent XML schema. Users can easily craft evil stuff
> like this:
>
> <src street='4555 Main Street' jid='bob at jabber.org'/>
>
> Uh-oh, which do we use? The main street from the query? Or the main
> street
> from the user's actual location? Better if these children were elements,
> sort of like...
>
> <src>
> <street>4555 Main Street</street>
> </src>
>
> That allows you to have a constraint where street and jid are mutually
> exclusive, without resorting to RELAX NG. And it doesn't add too many
> characters evil. :-)
I don't see how your suggestion of child elements actually solves anything
what is the evil user crafted the following:
<src>
<street>4555 Main Street</street>
<jid>bob at jabber.org</jid>
</src>
You still don't know anymore than the original about which one should be
used, the problem of which one to use cannot be solved by changing the
format of the xml, the only place it can be solved is in the rules (code)
you use for processing the xml. I say keep it how it was, its fine that way.
Having child elements for the reasons you suggest does not actually solve
the problem you were alluding to and all it does is make it slightly more
difficult to process and adds unnecessary extra bytes.
Richard
More information about the JDev
mailing list