Fixed
Details
Details
Assignee
Pothys - MitrahSoft
Pothys - MitrahSoftReporter
Zac Spitzer
Zac SpitzerLabels
New Issue warning screen
Before you create a new Issue, please post to the mailing list first https://dev.lucee.org
Once the issue has been verified, one of the Lucee team will ask you to file an issue
Sprint
Affects versions
Priority
New
Created 23 October 2020 at 22:06
Updated 20 May 2024 at 15:07
Resolved 31 July 2023 at 05:37
XmlParse and isXml need an additional argument to enable using XML External Entities
https://docs.lucee.org/reference/functions/xmlparse.html
https://docs.lucee.org/reference/functions/isxml.html
adobe supports a third validator argument for xmparse (bottom of the docs, not currently mentioned in the argument summary) which we are implementing
https://helpx.adobe.com/coldfusion/cfml-reference/coldfusion-functions/functions-t-z/xmlparse.html
<cfset parseroptions = structnew()> <cfset parseroptions.ALLOWEXTERNALENTITIES = false> <cfscript> a = XmlParse("xml.xml", false, parseroptions); writeDump(a); </cfscript>for other xml functions, you need to use these two functions (isXml, xmlParse) to parse the xml into an object and then work with that object, rather than directly parsing the xml as before, unless you have disabled the XXE protections at an application level (not recommended)
so, parse with xmlParse and then pass that object into the following functions
https://docs.lucee.org/reference/functions/xmltransform.html
https://docs.lucee.org/reference/functions/xmlsearch.html
etc
I also adding a env var / system property
lucee.xmlfeatures.override.disablewhich disables overriding the default XXE settings