XXE – C/C++ secure coding


The Enum xmlParserOption should not have the following options defined:

XML_PARSE_NOENT // Expands entities and substitutes them with replacement text
XML_PARSE_DTDLOAD // Load the external DTD

Note: starting with libxml2 version 2.9, XXE has been disabled by default as committed by the following patch: http://git.gnome.org/browse/libxml2/commit/?id=4629ee02ac649c27f9c0cf98ba017c6b5526070f.


0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *