etc

Actually, `libxml2` seems to be protected against XML bombs by default, throwing `Detected an entity reference loop` warning in my tests. Has anyone managed to DoS his server with this?

Not sure the protection is that simple, mind providing a bomb example?

Thanks @ProDigySML, I know it works in theory, just am not able to create a bomb without sending a really large payload. The server seems to defend itself against exponential...

Schema validation seems too restrictive, we don't know what kind of documents could be imported in the future. I guess there is nothing we can do if a user imports...

Postpone it to 4.8, perhaps? Custom fields will be a big change, I guess, including XML import.

> This attack appear to be exploitable via Uploading a specially crafted XML file. We also recognize being vulnerable to uploading a specially crafted PHP file to a special directory...

@NicoleG25 the 'issue' is of the same order of criticality that uploading a harmful php file or plugin. We currently use XML import only on setup for data provided with...

@NicoleG25 there is (currently) no plan to fix it since there is (currently) nothing to fix. The only persons able to exploit this 'vulnerability' are txp site admins (or hackers...

Rather than adding new txp tags attributes one by one, wouldn't it be more flexible to consider all 'additional' image attributes as HTML ones and caveat utilitor? Users can construct...

Sure, txp will continue to handle some attributes, but these it does not (yet) that are not global could be simply passed through to the resulting `` tags. Like `loading`...