On mån, 2010-03-22 at 19:38 -0400, Andrew Dunstan wrote:
> > But if we are not comfortable about being able to do that safely, I
> > would be OK with just raising an error if a concatenation is
> attempted
> > where one value contains a DTD. The impact in practice should be
> low.
> >
>
> Right. Can you find a way to do that using the libxml API? I haven't
> managed to, and I'm pretty sure I can construct XML that fails every
> simple string search test I can think of, either with a false negative
> or a false positive.
The documentation on that is terse as usual. In any case, you will need
to XML parse the input values, and so you might as well resort to
parsing the output value to see if it is well-formed, which should catch
this mistake and possibly others.
