data.xml : disable support-dtd by default

Question 1

As defined by OWASP recommendations [1], both supporting-external-entities and support-dtd should be disabled by default.
While it's the case for the former (but not released as part of the 0.0.8 version), it's not the case for the latter.

Can we consider having both defined to false as part of a stable version?

[1] : https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#xmlinputfactory-a-stax-parser.

Question 2

Logged as https://clojure.atlassian.net/browse/DXML-74

Question 3

By "stable" do you mean non-alpha, or non-SNAPSHOT?

Question 4

According to the README, the stable version is 0.0.8, while the preview one is 0.2.0-alpha8.
I would expect either a 0.0.9 version which includes the two parameters as disabled (since it's a security issue). Or a 0.2.0 marked as the new stable version afterwards.

alexmiller · Answer 1 · 2023-12-04T19:24:57+0000

commented Dec 4, 2023 by Arnaud Geiser

data.xml : disable support-dtd by default

Please log in or register to add a comment.

Please log in or register to answer this question.

2 Answers

Please log in or register to add a comment.

Please log in or register to add a comment.

Categories

data.xml : disable support-dtd by default

Please log in or register to add a comment.

Please log in or register to answer this question.

2 Answers

Please log in or register to add a comment.

Please log in or register to add a comment.

Related questions

Categories