Featured White Papers

• Java Web Hosting | DailyRazor.com - Over 10yrs Of Java Web Hosting Exp!

Sponsored Links

Sponsored Links

Optimize with a SATA RAID Storage Solution
Range of capacities as low as $1250 per TB. Ideal if you currently rely on servers/disks/JBODs

Breaking news in XML

Despite the scanty turnout, the recent XTech 2000 show produced several important XML/Java-related announcements

By Eric Armstrong, JavaWorld.com, 03/01/00

• JAXP: The Java standard for XML
• XML: Unexpected security holes
• EasySAX: A better parsing mechanism?
• SML: Is a simpler XML a good idea?
• RELAX: Your schema is here!

JAXP: The Java standard for XML

Sun announced the Java API for XML Parsing (JAXP) standard, released February 25. The API comes with a reference implementation, but developers can plug in parsers from different vendors without changing their programs.

In a sense, this announcement is long overdue -- the simple API for XML (SAX) and Domain Object Model (DOM) standards have been around for quite a while. Sun's strategy here is to implement only accepted standards, defining the bare minimum of additional APIs necessary to package them together in a way that makes parsers into a pluggable commodity for developers. Even those APIs had to go through Sun's Java Community Process (JCP), both to achieve the best possible standard and to forestall any impression that Sun was trying to dictate standards in any way. So the initial JAXP APIs took quite a bit of time.

James Davidson, specification lead for Sun, also announced that the next version of JAXP would cover DOM level 2, the XSLT stylesheet/translation specification, and, if the specification is completed in time, SAX level 2. Presumably, those implementations will take much less time, since they won't be stalled by the need to define the pluggability layer that JAXP provides.

XML: Unexpected security holes

David Megginson, of Megginson Technologies, gave an amusing yet ultimately serious talk on XML's potential vulnerability to content vandalism by even unsophisticated hackers. The problems mostly stem from the ability to reference remote stylesheets in a document. A highly secure industrial system might reference a large stylesheet on a relatively insecure campus computer, for example.

A cracker could then modify that stylesheet in ways that changed the perceived content of the page. Megginson used some amusing examples to demonstrate the potential results of such an attack. He showed that a bolded "not" in a sentence could be changed to match the background, making it disappear. (If "not" came at the end of a line, it's disappearance might not be noticed, drastically changing the sentence's meaning.) In another example, Megginson showed how the ability to add decorations to a line in a stylesheet would make it possible to add the words "BIG LIE:" to the beginning of a list item.

The bottom line for industry: most potential stylesheet security problems can be avoided by copying stylesheets to a secure local area and referencing them there. That might not be the ideal answer, but it is a highly effective, relatively low-cost solution that is likely to be the norm for years to come.

EasySAX: A better parsing mechanism?

Paul Prescod, a consulting engineer at Isogen, introduced a novel approach to XML processing called EasySAX -- although a more accurate name might have been BetterDOM or SmallerDOM. Although he implemented his parser in the Python language, the interest it will generate makes a Java implementation likely.