clojure.xml by default processes XML external entities. This allows inclusion of external files in the processed XML, both from local file system and from remote servers. This seems like a bad idea when processing untrusted input.
Here's an example that includes /etc/hostname in the result (if you do not have that file on your computer, the result is a FileNotFoundException):
(require 'clojure.xml)
(def xml-str "<?xml version=\"1.0\" encoding=\"UTF-8\" ?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM \"file:///etc/hostname\" >]>
<foo>&xxe;</foo>")
(with-open [input (java.io.ByteArrayInputStream. (.getBytes xml-str))]
(clojure.xml/parse input))
;; => {:tag :foo, :attrs nil, :content ["nixos\n"]}
As far as I know, this feature is rarely used and e.g. data.xml disables it by default. Could it be disabled in clojure.xml as well to make it safer by default?
