Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos

Nmap Development: Re: [PATCH] Add --dtd and --webdtd for <!DOCTYPE ...> with -oX

Re: [PATCH] Add --dtd and --webdtd for <!DOCTYPE ...> with -oX

From: Kris Katterjohn <katterjohn_at_gmail.com>
Date: Tue, 23 Jan 2007 15:40:23 -0600

William McVey wrote:
> On Tue, 2007-01-23 at 11:48 -0600, Kris Katterjohn wrote:
>> I'm not trying to be rude, but I just don't get what you're saying. If
>> a
>> user messes with it, they are *messing* with it. I don't think keeping
>> this option out of Nmap just because somebody might screw it up, by
>> their own choice, is a good idea.
>
> Well, my thought is that the criteria shouldn't be whether the option
> should be kept out of nmap or not, but whether it really needs to be
> added in the first place. There are certainly more canonical ways in the
> XML world to tweak a document declaration (an xsl transform utilizing
> the doctype-system attribute on xsl:output being the most "standard").
> In fact, I can think of no other tool in any field that provides the
> capability to override the document declaration to the end user (perhaps
> an HTML editor that allows you choose the varient of XHTML you want to
> use, but that's not changing the SYSTEM URI spec, that's just choosing
> among a set of pre-canned document varients. I mean, when was the time
> you were given the option of where the DTD for a XML language is
> located? It's certainly not something the "big" xml generators support.
>
> As I mentioned in my original mesg, I'm not dead set against the --dtd
> option (even if I were, it's not my decision), but I'm also not sold on
> the necessity for nmap to support producing a doctype beyond the
> canonical "official" declaration that should be the default in the first
> place.
>
>> Of course, I'm not a big XML person and I don't use -oX very often,
>> and
>> if I do it's only to view it in a browser real quick. So I'm really
>> just
>> throwing my 2 cents in :)
>
> Debating declarations is very much a minutia detail. The main argument
> against having a commandline option for setting up a custom declaration
> is that it's just not needed and nmap really isn't running short of
> options as it is. The main reason for it seems to allow someone to do
> something they can already do using more standard facilities available
> in XML. My main point though is that I think the webdtd option should be
> axed in favor of changing the default behavior and I feel that the
> "official" URI for the SYSTEM specifier on insecure.org should
> accommodate a version string so that the XML output format can evolve
> without overnight invalidating thousands of XML documents around the
> world.
>
> -- William
>

Okay, that's all cool. Like I said, I don't use it very often. I was
replying to him initially because I like to get responses from others,
and I figure I can't want and not give.

I'm not arguing for or against it, I just wanted to now more about what
you meant. So thanks for elaborating :)

-Kris

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Received on Jan 23 2007

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]