And they "forgot" to tell people that if doing this properly, they need to use a... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		silon42 on Sept 19, 2024 \| parent \| context \| favorite \| on: Ruby-SAML pwned by XML signature wrapping attacks And they "forgot" to tell people that if doing this properly, they need to use a schema/DTD where Id is defined as ID and then guaranteed unique by XML parser. I've seen invalid schemas/signatures where Id was just defined as string in the schema (fails when verifying using libxml/xmlsec for example)

SigmundA on Sept 20, 2024 [–]

GetElementId makes sure its a NCName and makes sure its unique regardless, you can view the source here: https://github.com/dotnet/runtime/blob/c4d7f7c6f2e2f34f07e64...

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact