Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Remove ability to parse symbols and yaml #34
Overall, this looks good. What do you think about also removing lines 22 and 30 from https://github.com/sferik/multi_xml/blob/master/lib/multi_xml.rb? It seems like those are inherently unsafe.
I feel like they should be left in since they're only unsafe if you're parsing untrusted input. This pull requests makes parsing default to not trusting the xml and requires users to deliberately mark each and every instance of xml parsing as trusted if they want YAML parsing. This makes the library not only secure by default, but flexible if you really need it. Also, this mimics ActiveSupport's xml parsing and I think it would be nice to keep feature parity, if possible. What do you think?
It may be worth adding more docs around the fact that using allowing all types while parsing untrusted input is dangerous, and maybe even link to the CVE, or this pull request.
added a commit
this pull request
Jan 11, 2013
Jan 11, 2013
1 check passed
For those subscribed to this thread, a new version of multi_xml has been pushed with these fixes. Get it while it's hot!