No, really, catalogs matter.

Back in 2004, I wrote up my harsh lesson in using a validating parser and why you should use an XML Catalog in your systems.

Last week, Netscape temporarily removed the DTD for RSS 0.91 from their site, and things promptly went south.

In response to that mess, Henri Sivonen points out that if you’re sending XML (not HTML) over the wire, there’s no reason to attach a Doctype declaration, and consuming applications should use internal Catalogs if they want to validate what they get over the wire.

I echo Sivonen’s reminder that you should declare a DTD when sending HTML, since browsers know to either ignore it or use a local version of the DTD.

Sivonen also mentions, in passing, the Billion Laughs attack. Which, to my shame, I’d missed.

  • Henri Sivonen

    Actually, the reason to use a doctype (not just any but a good one) is to activate the standards layout mode. I am not aware of any HTML browser that used a local DTD. (Some XHTML browsers do map certain public IDs to local abridged DTDs, though.)

    Thanks for the linkage.