lib|doc: Add a note on namespace URI validation

2025-04-05 21:24:59 +00:00 · 2022-03-01 23:04:52 +01:00 · 2022-03-01 23:04:52 +01:00 · c57bea96b7
commit c57bea96b7
parent 5dd5218297
2 changed files with 14 additions and 0 deletions
--- a/expat/doc/reference.html
+++ b/expat/doc/reference.html
@ -974,6 +974,14 @@ the local part will be concatenated without any separator - this is intended
 to support RDF processors. It is a programming error to use the null separator
 with <a href= "#XML_SetReturnNSTriplet">namespace triplets</a>.</div>

+<p><strong>Note:</strong>
+Expat does not validate namespace URIs (beyond encoding)
+against RFC 3986 today (and is not required to do so with regard to
+the XML 1.0 namespaces specification) but it may start doing that
+in future releases.  Before that, an application using Expat must
+be ready to receive namespace URIs containing non-URI characters.
+</p>
+
 <h4 id="XML_ParserCreate_MM">XML_ParserCreate_MM</h4>
 <pre class="fcndec">
 XML_Parser XMLCALL
--- a/expat/lib/expat.h
+++ b/expat/lib/expat.h
@ -244,6 +244,12 @@ XML_ParserCreate(const XML_Char *encoding);
   1, 2 or 3 original parts on application level in the element handler
   may end up vulnerable, so these are advised against;  sane choices for
   a namespace separator are e.g. '\n' (line feed) and '|' (pipe).
+
+   Note that Expat does not validate namespace URIs (beyond encoding)
+   against RFC 3986 today (and is not required to do so with regard to
+   the XML 1.0 namespaces specification) but it may start doing that
+   in future releases.  Before that, an application using Expat must
+   be ready to receive namespace URIs containing non-URI characters.
 */
 XMLPARSEAPI(XML_Parser)
 XML_ParserCreateNS(const XML_Char *encoding, XML_Char namespaceSeparator);