Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Don't expose consumer to entity attacks from provider

  • Loading branch information...
commit 84a17199e0e091b2a096f6b3306cb329c1a7518f 1 parent dedef67
@yannk authored
Showing with 8 additions and 1 deletion.
  1. +8 −1 lib/Web/oEmbed/Response.pm
View
9 lib/Web/oEmbed/Response.pm
@@ -62,7 +62,14 @@ sub parse_json {
sub parse_xml {
my($self, $xml) = @_;
require XML::LibXML::Simple;
- XML::LibXML::Simple->new->XMLin($xml);
+ my $parser_opts = {
+ no_network => 1,
+ expand_xinclude => 0,
+ expand_entities => 1,
+ load_ext_dtd => 0,
+ ext_ent_handler => sub { warn "External entities disabled."; '' },
+ };
+ XML::LibXML::Simple->new(parser_opts => $parser_opts)->XMLin($xml);
}
sub render {
Please sign in to comment.
Something went wrong with that request. Please try again.