Tweak how the dotnet cheatsheet talks about XXE (#957)

* Tweak how the dotnet cheatsheet talks about XXE * Add a couple of clarifications and some links
OWASP · Aug 5, 2022 · a6b8093 · a6b8093
1 parent 0f71d70
commit a6b8093
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 4 deletions.
diff --git a/cheatsheets/DotNet_Security_Cheat_Sheet.md b/cheatsheets/DotNet_Security_Cheat_Sheet.md
@@ -432,11 +432,11 @@ For more information about headers can be found [here](https://owasp.org/www-pro
 
 ### A4 XML External Entities (XXE)
 
-Please refer to the XXE cheat sheet so more detailed information, which can be found [here](XML_External_Entity_Prevention_Cheat_Sheet.md#net).
-
 XXE attacks occur when an XML parse does not properly process user input that contains external entity declaration in the doctype of an XML payload.
 
-Below are the three most common [XML Processing Options](https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xml-processing-options) for .NET.
+[This article](https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xml-processing-options) discusses the most common XML Processing Options for .NET.
+
+Please refer to the [XXE cheat sheet](XML_External_Entity_Prevention_Cheat_Sheet.md#net) for more detailed information on preventing XXE and other XML Denial of Service attacks.
 
 ### A5 Broken Access Control
 

diff --git a/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.md b/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.md
@@ -424,7 +424,7 @@ Table explanation:
 - ❌ = Vulnerable
 - ❓ = Not clear
 
-| Attack Type             | .NET Framework Version | XDocument (Linq to XML)    | XmlDictionaryReader   | XmlDocument | XmlNodeReader    | XmlReader  | XmlTextReader | XPathNavigator | XslCompiledTransform  |
+| Attack Type             | .NET Framework Version | [XDocument (Linq to XML)](#linq-to-xml)    | [XmlDictionaryReader](#xmldictionaryreader)   | [XmlDocument](#xmldocument) | [XmlNodeReader](#xmlnodereader)    | [XmlReader](#xmlreader)  | [XmlTextReader](#xmltextreader) | [XPathNavigator](#xpathnavigator) | [XslCompiledTransform](#xslcompiledtransform)  |
 |-|-|:-:|:-:|:-:|:-:|:-:|:-:|:-:|:-:|
 | **External entity Attacks** | <4.5.2 | ✅ | ✅  | ❌ | ✅  | ✅  | ❌ | ❌ | ✅ |
 |                             | ≥4.5.2 | ✅ | ✅  | ✅ | ✅  | ✅  | ✅ | ✅ | ✅ |
@@ -463,6 +463,8 @@ The following example shows how it is made safe:
  }
 ```
 
+For .NET Framework version ≥4.5.2, this is **safe by default**.
+
 `XmlDocument` can become unsafe if you create your own nonnull `XmlResolver` with default or unsafe settings. If you need to enable DTD processing, instructions on how to do so safely are described in detail in the [referenced MSDN article](https://msdn.microsoft.com/en-us/magazine/ee335713.aspx).
 
 ### XmlNodeReader
@@ -534,6 +536,8 @@ XPathNavigator nav = doc.CreateNavigator();
 string xml = nav.InnerXml.ToString();
 ```
 
+For .NET Framework version ≥4.5.2, XPathNavigator is **safe by default**.
+
 ### XslCompiledTransform
 
 `System.Xml.Xsl.XslCompiledTransform` (an XML transformer) is safe by default as long as the parser it's given is safe.