New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Resolve entities defined in DOCTYPE recursively. #161
Conversation
Entity expansion loops are detected and avoided. In addition, there is a limit on the length of an entity expansion (to guard against attacks like the billion laughs attack). This can be adjusted using the new exported field `psEntityExpansionSizeLimit` on ParseSettings. By default it is set at 8192. Add tests, including a test for the billion laughs attack.
|
OK, I've changed this, adding a new adjustable parameter for the max size of any single entity expansion, and better code for avoiding loops. I've also added more tests. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry for the delay in reviewing.
|
Squashed and merged, thank you ! |
|
Great, thank you for the quick merge. When do you expect a new release of xml-conduit? I am looking forward to switching skylighting from HXT, but this awaits these fixes. |
|
Released as 1.9.1.0. |
This puts a limit on recursion depth (10) to avoid loops and other attacks.
Fixes #103.