Schema problems

David Megginson david at
Wed Sep 1 18:40:50 BST 1999

Oren Ben-Kiki writes:

 > > By allowing documents without explicit DOCTYPE declarations, XML (and,
 > > eventually, WebSGML) acknowledged that document instances can exist
 > > independently of schemas, and thus, that there can potentially be
 > > *many* schemas applied to any existing document.
 > Doesn't this contradict (a)? That is, must all these schemas agree
 > on the default values? Or is it intentional that you can replace
 > the default values as well?

That's a very messy question.  Personally, I'd be happy to accept a
schema spec that *didn't* specify default values.  I don't think that
most client-side XML is going to use schemas, whatever standard
emerges, because schemas introduce non-constant-time problems and
(with default values) security issues into the equation.


A schema is a separate resource that may reference other schemas
recursively, so I cannot safely predict how much parser (and, more
seriously, how much network activity) will be required to process a


If schemas contain default values, those default values might
compromise the security of my document (say, by providing a default
value of 'public' for an 'access' variable that was unspecified in the 
original document).  Again, since schemas can reference other schemas, 
they're only as secure as the entire tree -- for example, if the
schema refers to another at the Web site, and someone cracks, they've effectively cracked my schema (and my document) as

All the best,


David Megginson                 david at

xml-dev: A list for W3C XML Developers. To post, mailto:xml-dev at
Archived as: and on CD-ROM/ISBN 981-02-3594-1
To (un)subscribe, mailto:majordomo at the following message;
(un)subscribe xml-dev
To subscribe to the digests, mailto:majordomo at the following message;
subscribe xml-dev-digest
List coordinator, Henry Rzepa (mailto:rzepa at

More information about the Xml-dev mailing list