Hi Elliotte, On 24.04.2026 13:10, Elliotte Rusty Harold wrote: >> >> I see three plausible hardening levels worth supporting: >> >> 1. No DOCTYPE allowed. Eliminates the entire class of DTD-based >> attacks. This is what the draft implements. >> >> 2. DOCTYPE allowed, no external resources loaded. Internal entities >> work (for users who need HTML-style named entities, for example), >> entity expansion limits are enforced, but nothing is fetched from >> outside the document. >> >> 3. DOCTYPE allowed, user-supplied resolver. The caller provides an >> EntityResolver; we wrap it so that if the resolver returns null for >> an unknown reference, we throw rather than falling through to the >> parser's default URL-fetching behavior. This closes SAX's most >> common footgun while letting integrators implement classpath-scoped >> loading, XML catalogs, and similar. >> > > #2 is really as hard as anything needs to be. #1 doesn't add anything. > > #3 is interesting. I can see this being useful.
Yes, I think #2 is also the right baseline. I rewrote the restrictions to allow DOCTYPE declarations and only block excessive entity expansion and external fetches: https://github.com/copernik-eu/commons-xml-factory/pull/5 That covers my needs: to be sure that the hardenings on the XML parser I use will be enough regardless of the parser implementation used by downstream users. While the main code probably doesn't need major changes, there are lots of tests to be added (e.g. on Android). Piotr --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
