[xml/sgml-pkgs] Bug#993638: Bug#993638: libxml2: XHTML 1.0 validation is broken

Thorsten Glaser t.glaser at tarent.de
Mon Sep 20 16:50:56 BST 2021


On Mon, 20 Sep 2021, Vincent Lefevre wrote:

> For the 1.1 DTD, w3c-dtd-xhtml 1.1-5 had the *upstream* file
> xhtml-1.1/basic/xhtml-special.ent with the buggy entity definitions

Hmm, now where did t̲h̲a̲t̲ come from?

http://www.w3.org/TR/2001/REC-xhtml11-20010531/xhtml11.tgz
has the flattened DTD.

Apparently XHTML™ Basic 1.1 is a thing, though. This is not XHTML 1.1…
http://www.w3.org/TR/2010/REC-xhtml-basic-20101123/xhtml-basic.tgz does
not contain the entities at all though.

Hah, got it! XHTML™ Basic 1.0 does contain the bogus file:
http://www.w3.org/TR/2000/REC-xhtml-basic-20001219/xhtml-basic.tgz
Its list of errata is empty, so this is not listed upstream as known bug.

> > But if this upstream change affects DTDs that were once released, maybe
> > it should accept, but ignore, this specific wrong redeclaration.
> 
> Perhaps. This should probably be first talked with upstream.

So indeed. Can one of you bring this to them? (My contributions to
libxml2 don’t appear to be liked, even if multiple CVEs could have
been avoided by applying them.)

Thanks,
//mirabilos
-- 
Infrastrukturexperte • tarent solutions GmbH
Am Dickobskreuz 10, D-53121 Bonn • http://www.tarent.de/
Telephon +49 228 54881-393 • Fax: +49 228 54881-235
HRB AG Bonn 5168 • USt-ID (VAT): DE122264941
Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg

                        ****************************************************
/⁀\ The UTF-8 Ribbon
╲ ╱ Campaign against      Mit dem tarent-Newsletter nichts mehr verpassen:
 ╳  HTML eMail! Also,     https://www.tarent.de/newsletter
╱ ╲ header encryption!
                        ****************************************************



More information about the debian-xml-sgml-pkgs mailing list