Proposal Details
encoding/xml currently reads XML directives, but it doesn’t process them. Parsing XML DTDs is far too complex for encoding/xml. Furthermore, DTD processing is a frequent source of security issues. For instance, they are a required part of Billion Laughs and XML External Entity attacks, and they were also involved in a recent double-free in libxml2.
I propose that encoding/xml reject XML directives entirely by default. This is the only way I can see implementing #68299, and is consistent with recent versions of .NET.
Proposal Details
encoding/xmlcurrently reads XML directives, but it doesn’t process them. Parsing XML DTDs is far too complex forencoding/xml. Furthermore, DTD processing is a frequent source of security issues. For instance, they are a required part of Billion Laughs and XML External Entity attacks, and they were also involved in a recent double-free in libxml2.I propose that
encoding/xmlreject XML directives entirely by default. This is the only way I can see implementing #68299, and is consistent with recent versions of .NET.