Poll: do you need XML validation with DTDs? Entities?


For librsvg, I’m in need of an XML parser that supports entities. I know about entity expansion attacks and how they are mitigated (e.g. what libxml2 does).

I’m tempted to add support for entity expansion to xml-rs, but since entities are declared in the DOCTYPE, it kind of ties with DTDs and validation.

So here’s a poll. Do you use XML with Rust and require XML validation with DTDs? Do you require entities?


Entity expansion: yes
Validation: no


I think about write software for gpx/kml, it would be nice to check
them with dtd before parsing.


Do you mean inline DTD fragments which define entities? I think there are some SVG images out there which define entities for compatibility with HTML, so I think even for SVG processing, you need to deal with inline DTD fragments.


Entity expansion from known standard DTDs: yes
Entity expansion from internal subset declared inline in DOCTYPE: not necessary
Entity expansion from arbitrary external DTDs: nope
Validation: definitely not