XXE – iOS secure coding
iOS includes the C/C++ libxml2 library described in C/C++ secure coding examples, so that guidance applies if you are using libxml2 directly. However, the version of libxml2 provided up through iOS6 is prior to version 2.9 of libxml2 (which protects against XXE by default).
iOS also provides an NSXMLDocument type, which is built on top of libxml2. However, NSXMLDocument provides some additional protections against XXE that aren’t available in libxml2 directly:
iOS4 and earlier: All external entities are loaded by default.
iOS5 and later: Only entities that don’t require network access are loaded. (which is safer)
However, to completely disable XXE in an NSXMLDocument in any version of iOS you simply specify
NSXMLNodeLoadExternalEntitiesNever when creating the NSXMLDocument.