You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
encoding/xml currently reads XML directives, but it doesn’t process them. Parsing XML DTDs is far too complex for encoding/xml. Furthermore, DTD processing is a frequent source of security issues. For instance, they are a required part of Billion Laughs and XML External Entity attacks, and they were also involved in a recent double-free in libxml2.
I propose that encoding/xml reject XML directives entirely by default. This is the only way I can see implementing #68299, and is consistent with recent versions of .NET.
The text was updated successfully, but these errors were encountered:
Proposal Details
encoding/xmlcurrently reads XML directives, but it doesn’t process them. Parsing XML DTDs is far too complex forencoding/xml. Furthermore, DTD processing is a frequent source of security issues. For instance, they are a required part of Billion Laughs and XML External Entity attacks, and they were also involved in a recent double-free in libxml2.I propose that
encoding/xmlreject XML directives entirely by default. This is the only way I can see implementing #68299, and is consistent with recent versions of .NET.The text was updated successfully, but these errors were encountered: