[rfc-i] Proposal for v3 to simplify most references
nico at cryptonector.com
Mon Feb 10 08:56:14 PST 2014
On Mon, Feb 10, 2014 at 10:52 AM, John R Levine <johnl at taugh.com> wrote:
>>>> <library name="RFC-Editor"/>
>>>> <library name="my-lib" ref="URI to my reference library">
> I'm not at all thrilled by a feature that lets random people who submit I-Ds
> put in active code that makes xml2rfc fetch random posssibly hostile URLs.
> Kaboom. It doesn't have to make xml2rfc do anything particularly evil, just
> making it crash or hang (imagine a hostile URL that trickles the bytes out
> very slowly) would screw up a lot of automated scripts.
That's there now via XML entities. Perhaps the submission system
should reject I-Ds whose XML references anything other than the
RFC-Editor's standard reference library. A mode of xml2rfc will be
needed where it replaces external library references by in-lining
them. In any case, there's no reason not to permit private reference
libraries though (particularly considering the private memo feature).
More information about the rfc-interest