Browse files

Don't expose consumer to entity attacks from provider

  • Loading branch information...
1 parent dedef67 commit 84a17199e0e091b2a096f6b3306cb329c1a7518f @yannk committed Jun 13, 2011
Showing with 8 additions and 1 deletion.
  1. +8 −1 lib/Web/oEmbed/Response.pm
View
9 lib/Web/oEmbed/Response.pm
@@ -62,7 +62,14 @@ sub parse_json {
sub parse_xml {
my($self, $xml) = @_;
require XML::LibXML::Simple;
- XML::LibXML::Simple->new->XMLin($xml);
+ my $parser_opts = {
+ no_network => 1,
+ expand_xinclude => 0,
+ expand_entities => 1,
+ load_ext_dtd => 0,
+ ext_ent_handler => sub { warn "External entities disabled."; '' },
+ };
+ XML::LibXML::Simple->new(parser_opts => $parser_opts)->XMLin($xml);
}
sub render {

0 comments on commit 84a1719

Please sign in to comment.