> Comments arent signed but change meaning of document
Do you have an example of that assertion handy? The only comment-influences-execution behavior I'm aware of is in SQL[1], and I haven't ever seen any XML system (in any business domain) which does what you said
1: I mean, setting aside linter suppression, which pedantically does impact execution but I meant of the final software
But basically in some xml apis, a comment can split a single text node into two adjacent text nodes. Some implementations would only look at the first text node. The original xsignature spec (although i think this has been changed) said to remove all comments from doc before signing it, so the attacker can add arbitrary comments without messing up the signature.
> so the attacker can add arbitrary comments without messing up the signature.
Right, I believe you, but the original assertion was "change meaning of document" -- I can likely add arbitrary whitespace, too, under that same "tomato, tomahto" canonicalization path, but how do either of those two insertions benefit the attacker by changing the meaning of the document?
Comments affect the dom structure of parsed xml subtley. There were cases where this was enough to log in as a different user. See the link i provided.
Do you have an example of that assertion handy? The only comment-influences-execution behavior I'm aware of is in SQL[1], and I haven't ever seen any XML system (in any business domain) which does what you said
1: I mean, setting aside linter suppression, which pedantically does impact execution but I meant of the final software