Remove ability to parse symbols and yaml #34
Overall, this looks good. What do you think about also removing lines 22 and 30 from https://github.com/sferik/multi_xml/blob/master/lib/multi_xml.rb? It seems like those are inherently unsafe.
I feel like they should be left in since they're only unsafe if you're parsing untrusted input. This pull requests makes parsing default to not trusting the xml and requires users to deliberately mark each and every instance of xml parsing as trusted if they want YAML parsing. This makes the library not only secure by default, but flexible if you really need it. Also, this mimics ActiveSupport's xml parsing and I think it would be nice to keep feature parity, if possible. What do you think?
It may be worth adding more docs around the fact that using allowing all types while parsing untrusted input is dangerous, and maybe even link to the CVE, or this pull request.
Jan 11, 2013
1 check passed
For those subscribed to this thread, a new version of multi_xml has been pushed with these fixes. Get it while it's hot!