Back in 2004, I wrote up my harsh lesson in using a validating parser and why you should use an XML Catalog in your systems.
Last week, Netscape temporarily removed the DTD for RSS 0.91 from their site, and things promptly went south.
In response to that mess, Henri Sivonen points out that if you’re sending XML (not HTML) over the wire, there’s no reason to attach a Doctype declaration, and consuming applications should use internal Catalogs if they want to validate what they get over the wire.
I echo Sivonen’s reminder that you should declare a DTD when sending HTML, since browsers know to either ignore it or use a local version of the DTD.
Sivonen also mentions, in passing, the Billion Laughs attack. Which, to my shame, I’d missed.