https://ask.clojure.org/index.php/tag/xml https://ask.clojure.org/index.php/14184/clojure-data-event-endelementevent-should-provide-location <p>Additional information on the EndElementEvent would be very helpful, especially for processing large data in a streaming way.</p> <p>I would be happy to propose a patch – I've already signed the Contributor Agreement</p> data.xml https://ask.clojure.org/index.php/14184/clojure-data-event-endelementevent-should-provide-location Thu, 10 Oct 2024 14:34:39 +0000 https://ask.clojure.org/index.php/13523/data-xml-disable-support-dtd-by-default <p>As defined by OWASP recommendations [1], both <code>supporting-external-entities</code> and <code>support-dtd</code> should be disabled by default.<br> While it's the case for the former (but not released as part of the 0.0.8 version), it's not the case for the latter.</p> <p>Can we consider having both defined to <code>false</code> as part of a stable version?</p> <p>[1] : <a rel="nofollow" href="https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#xmlinputfactory-a-stax-parser">https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#xmlinputfactory-a-stax-parser</a>.</p> data.xml https://ask.clojure.org/index.php/13523/data-xml-disable-support-dtd-by-default Mon, 04 Dec 2023 19:14:34 +0000 https://ask.clojure.org/index.php/12625/clojure-element-doesnt-implement-clojure-associative-entryat <p>Repro:</p> <pre><code>(find {:tag :a :attrs {} :content ()} :tag) ;;=&gt; [:tag :a] (find (clojure.data.xml/element :a) :tag) ;;=&gt; Execution error (AbstractMethodError) at clojure.data.xml.node.Element/entryAt (node.cljc:-1). ;; Method clojure/data/xml/node/Element.entryAt(Ljava/lang/Object;)Lclojure/lang/IMapEntry; is abstract </code></pre> <p>Having <code>Element</code> implement <code>entryAt</code> would make it possible e.g. to write <a rel="nofollow" href="https://github.com/metosin/malli">Malli</a> schemas for clojure.data.xml data structures without having to transform <code>Element</code>s to maps beforehand.</p> data.xml https://ask.clojure.org/index.php/12625/clojure-element-doesnt-implement-clojure-associative-entryat Thu, 02 Feb 2023 09:30:55 +0000 https://ask.clojure.org/index.php/10338/clojure-xml-processes-xxe-by-default <p>clojure.xml by default processes <a rel="nofollow" href="https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing">XML external entities</a>. This allows inclusion of external files in the processed XML, both from local file system and from remote servers. This seems like a bad idea when <a rel="nofollow" href="https://quanttype.net/posts/2021-03-13-clojure-xml-and-untrusted-input.html">processing untrusted input</a>.</p> <p>Here's an example that includes <code>/etc/hostname</code> in the result (if you do not have that file on your computer, the result is a FileNotFoundException):</p> <pre><code>(require 'clojure.xml) (def xml-str "&lt;?xml version=\"1.0\" encoding=\"UTF-8\" ?&gt; &lt;!DOCTYPE foo [ &lt;!ELEMENT foo ANY &gt; &lt;!ENTITY xxe SYSTEM \"file:///etc/hostname\" &gt;]&gt; &lt;foo&gt;&amp;xxe;&lt;/foo&gt;") (with-open [input (java.io.ByteArrayInputStream. (.getBytes xml-str))] (clojure.xml/parse input)) ;; =&gt; {:tag :foo, :attrs nil, :content ["nixos\n"]} </code></pre> <p>As far as I know, this feature is rarely used and e.g. data.xml disables it by default. Could it be disabled in clojure.xml as well to make it safer by default?</p> Clojure https://ask.clojure.org/index.php/10338/clojure-xml-processes-xxe-by-default Sun, 14 Mar 2021 08:14:34 +0000 https://ask.clojure.org/index.php/9686/deprecate-clojure-xml <p>The clojure.xml namespace is at this point pretty out of date with modern Java options. It should be marked as deprecated and point to using org.clojure/data.xml instead.</p> Clojure https://ask.clojure.org/index.php/9686/deprecate-clojure-xml Tue, 06 Oct 2020 16:55:11 +0000