html-filter icon indicating copy to clipboard operation
html-filter copied to clipboard

Published 20 hours ago verified publisher icon attilammagyar

Take care of External XML Entities

Open attilammagyar opened this issue 11 years ago • 0 comments

Should be able to work with XML files from untrusted sources without letting XXE injection attacks through.

  • https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing
  • http://www.php.net/manual/en/wrappers.php

Example:

<?xml version="1.0" encoding="ISO-8859-1"?>
 <!DOCTYPE foo [  
   <!ELEMENT foo ANY >
   <!ENTITY xxe SYSTEM 'php://filter/read=convert.base64-encode/resource=/etc/passwd'>]>
   <foo>&xxe;</foo>

attilammagyar avatar Feb 10 '14 23:02 attilammagyar