(github.blog)

312 points campuscodi | 1 comments | 15 Mar 25 19:06 UTC | HN request time: 0.214s | source

Show context

oncallthrow ◴[15 Mar 25 19:16 UTC] No.43374582[source]▶

>>43374519 (OP) #

XML is to authentication bypasses what C is to buffer overflow attacks

replies(4): >>43374583 #>>43374813 #>>43375202 #>>43375808 #

thayne ◴[15 Mar 25 23:16 UTC] No.43375808[source]▶

>>43374582 #

XML could really benefit from a standardized subset that cuts out all the unnecessary features and security footguns.

replies(2): >>43376649 #>>43380061 #

Nextgrid ◴[16 Mar 25 02:55 UTC] No.43376649[source]▶

>>43375808 #

I find that the "unnecessary features" and footguns are what makes XML, well, XML. I guess there must be some legitimate usage of those, or at least was back in the day. If you strip them out, you'd end up with a JSON-like (so you may as well use JSON).

replies(2): >>43376692 #>>43377295 #

1. thayne ◴[16 Mar 25 06:42 UTC] No.43377295[source]▶

>>43376649 #

No, you would have an extensible markup language. And json is not a good fit for markup.

Now, xml has also been used for a lot of things where a hierarchical format like json would have worked better than a markup format, of which SAML would be a good example. But there are also cases where a markup format makes more sense, like svg or docbook, or odf.

↑

Sign in as anyone: Bypassing SAML SSO authentication with parser differentials