refactor: remove NOENT option for security

NOENT, which is used to substitute entities also enables processing of both regular and external entities. Which seems risky when you don't the XML source. NONET will have no effect if used with NOENT. - Github Issue: ckruse#55
shubhampathak · Dec 6, 2019 · b568969 · b568969
1 parent 8d946cb
commit b568969
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/lib/cfpropertylist/rbLibXMLParser.rb b/lib/cfpropertylist/rbLibXMLParser.rb
@@ -5,7 +5,7 @@
 module CFPropertyList
   # XML parser
   class LibXMLParser < XMLParserInterface
-    PARSER_OPTIONS = LibXML::XML::Parser::Options::NOBLANKS|LibXML::XML::Parser::Options::NOENT|LibXML::XML::Parser::Options::NONET
+    PARSER_OPTIONS = LibXML::XML::Parser::Options::NOBLANKS|LibXML::XML::Parser::Options::NONET
     # read a XML file
     # opts::
     # * :file - The filename of the file to load

diff --git a/lib/cfpropertylist/rbNokogiriParser.rb b/lib/cfpropertylist/rbNokogiriParser.rb
@@ -5,7 +5,7 @@
 module CFPropertyList
   # XML parser
   class NokogiriXMLParser < ParserInterface
-    PARSER_OPTIONS = Nokogiri::XML::ParseOptions::NOBLANKS|Nokogiri::XML::ParseOptions::NOENT|Nokogiri::XML::ParseOptions::NONET
+    PARSER_OPTIONS = Nokogiri::XML::ParseOptions::NOBLANKS|Nokogiri::XML::ParseOptions::NONET
     # read a XML file
     # opts::
     # * :file - The filename of the file to load