ANN: Xml Serialization 1.0.pre3 
Author Message
 ANN: Xml Serialization 1.0.pre3

(partial Readme follows -- see web site for full information)

=Xml Serialization for Ruby

Download 1.0.pre3::
http://www.*-*-*.com/
REXML (>=1.2.5)*:: http://www.*-*-*.com/ ~ser/Software/rexml
Home Page:: http://www.*-*-*.com/
ViewCVS:: http://www.*-*-*.com/
Anon CVS:: http://www.*-*-*.com/

\* not tested (yet) with any version > 1.2.7.

please review the Security Issues section before using.

===Overview

Xml Serialization allows classes to be marshalled to and from XML.

It consists of a module (+XmlSerialization+) and modified standard
classes which add +to_xml+ and +from_xml+ methods. +to_xml+ is an
instance method which returns an XML element containing the data from
each instance variable in the including class. +from_xml+ is a
singleton/class method which accepts an XML element and creates an
instance of the class with the data in the element.

Currently, REXML is used for XML parsing. It's possible later versions
could plug-in other XML processors.

This project is still in a pre-release state, though functional. Feel
free to give me feedback (code contributions are of course always
welcome).

===License (see website for full license)


license.

===Security Issues

1.0.pre3 switched from requiring attribute accessors for deserialization
to calling +instance_eval+. This is more convenient, but has a potential
security hole.

If the $+SAFE+ level is set to 1, all strings read in from a file are
marked tainted, and cannot be passed to +instance_eval+. However,
because REXML passes all strings through +Array+.+pack+ and
+Array+.+unpack+ calls to support various xml encodings, the string's
taintedness is lost, and the +instance_eval+ calls are allowed.

Beyond that, a $+SAFE+ level of 3 or more will simply not allow calls
to +instance_eval+, so the current release won't work under those
conditions.

In 1.0.pre4, I plan to re-add the original code that uses +send+ and
requires writer accessor methods, in addition to the +instance_eval+
code, and add a +XSConf+ switch to control this. The default setting
will be required accessor methods to play it safe with the potential
security hole.

I've been discussing this issue with Sean Russell, author of REXML, and
it's possible that REXML will be changed to retain the string's
taintedness through the encoding process. In this case, the security
hole should be closed, and the option to not use +instance_eval+ will be
necessary at any $+SAFE+ level.

===Contributors
* Harry Ohlsen
  * Support for classes in modules and inner classes
  * Code to use eval instead of send for classes w/o accessors
  * Code to workaround initialize method for instantiating classes with
    parameterized intializers

* Stefan Mueller
  * +TrueClass+ and +FalseClass+ support

===Change Log

====1.0.pre3
* Support for classes in modules and inner classes
* +instance_eval+ used instead of send to set instance data. Accessor
methods no longer required
* +XSConf+.+bypassInitialize+ option to deserialize classes without
default/parameterless initialize methods
* +TrueClass+ and +FalseClass+ support

===To Do

====pre4

- add back attribute accessor and a XSConf switch to support both options.
Using +instance_eval+ has a potential security hole that is not protected by
$SAFE == 1 even when deserializing from an xml file. Using +instance_eval+
is not an option in $SAFE >= 3.

- xmlserial gets stuck in a loop if the elements in my tree have references
to their parents. I had to delete the references before to_xmling the tree,
and restore them afterwards. Marshal does not have this problem. [Stefan
Mueller]



Tue, 02 Nov 2004 11:56:12 GMT  
 ANN: Xml Serialization 1.0.pre3

Quote:
> ViewCVS:: http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/clxmlserial/xmls/

Whoops:
ViewCVS::
http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/clxmlserial/clxmlserial/


Tue, 02 Nov 2004 12:01:24 GMT  
 ANN: Xml Serialization 1.0.pre3

Quote:

> Download 1.0.pre3::

Awesome.  Thanks, Chris.

--- SER



Fri, 05 Nov 2004 00:35:28 GMT  
 ANN: Xml Serialization 1.0.pre3
Hi, Chris,

Quote:

> Sent: Friday, May 17, 2002 12:52 PM
> =Xml Serialization for Ruby

> Download 1.0.pre3::

Excellent.  I added TrueClass and FalseClass to
http://rrr.jin.gr.jp/rwiki?cmd=view;name=Marshal .

To create am empty(not 'initialize'-ed) object,
Class#allocate in ruby/1.7 will help you.  To use it
under ruby/1.6, see TANAKA Akira's yet another
excellent work at Class#basic_new in amarshal.rb.

Regards,
// NaHi



Sat, 06 Nov 2004 11:57:18 GMT  
 ANN: Xml Serialization 1.0.pre3

Quote:
> Hi, Chris,


> > Sent: Friday, May 17, 2002 12:52 PM

> > =Xml Serialization for Ruby

> > Download 1.0.pre3::

> Excellent.  I added TrueClass and FalseClass to
> http://rrr.jin.gr.jp/rwiki?cmd=view;name=Marshal .

> To create am empty(not 'initialize'-ed) object,
> Class#allocate in ruby/1.7 will help you.  To use it
> under ruby/1.6, see TANAKA Akira's yet another
> excellent work at Class#basic_new in amarshal.rb.

Wow, thanks for your page -- that's an excellent collection of marshalling
libraries and functionality. Gives me a bit more to shoot for as well :)

I'm curious, the date you list for XMarshal is 2002-05-08, but I thought
that lib hadn't been updated in some time. Can you confirm that its latest
is that recent?

Chris



Sat, 06 Nov 2004 12:58:35 GMT  
 ANN: Xml Serialization 1.0.pre3
Hi, Chris,

Quote:

> Sent: Tuesday, May 21, 2002 1:57 PM
> > http://rrr.jin.gr.jp/rwiki?cmd=view;name=Marshal .
> I'm curious, the date you list for XMarshal is 2002-05-08, but I
thought
> that lib hadn't been updated in some time. Can you confirm that its
latest
> is that recent?

Since I was not sure about released date of
http://www.goto.info.waseda.ac.jp/~fukusima/ruby/xmarshal.rb
I wrote downloaded date there.  XMarshal has not been modified
for long time, IIRC.  Sorry for confusing you.

Regards,
// NaHi



Sat, 06 Nov 2004 14:13:33 GMT  
 ANN: Xml Serialization 1.0.pre3

Quote:
> Since I was not sure about released date of
> http://www.goto.info.waseda.ac.jp/~fukusima/ruby/xmarshal.rb
> I wrote downloaded date there.  XMarshal has not been modified
> for long time, IIRC.  Sorry for confusing you.

Not a problem -- I just thought if it'd been updated recently that I should
check out what's been added. Then when I looked, I couldn't find anything
new, so I just wanted to be certain. Thx.

Chris



Sat, 06 Nov 2004 21:09:18 GMT  
 
 [ 10 post ] 

 Relevant Pages 

1. very urgent !! XML serialization

2. Xml Serialization 1.0.pre2

3. Xml Serialization for Ruby

4. FORTRAN/C XML Serialization

5. Using CLOCC xml.lisp to print XML in XML format

6. ANN: SLiP and SLIDE - a quick XML shorthand syntax and tool for editing

7. ANN: xampl-pp 0.0 XML Pull Parser

8. ANN: Programming Ruby HTML/XML V0.3

9. ANN: XML-RPC client in Scheme

10. ANN: AdaBrowse 3.0 with XML support

11. ANN: SLiP and SLIDE - a quick XML shorthand syntax and tool for editing

12. ANN: More XML support for Python etc

 

 
Powered by phpBB® Forum Software