At best they know about from experience with HTML but they are not aware that a document type definition (DTD) can generate an HTTP request or load a file from the file system. Application developers must not rely that a library is always configured for security and potential harmful data by default.
The Billion Laughs attack – also known as exponential entity expansion – uses multiple levels of nested entities.
In 1.61 the XML:: Lib XML:: XPath Context module, previously distributed separately, was merged in.
An experimental support for Perl threads introduced in 1.66 has been replaced in 1.67.
Ant uses Java classes instead of shell-based commands used in tools such as Make and Jam.
Under some circumstances it is even possible to access local files on your server, to circumvent a firewall, or to abuse services to rebound attacks to third parties.
The xmlval and xmldtd modules let you validate XML docs against an external DTD file.
This is a simple, straightforward recipe that illustrates how to use the xmlval and xmldtd modules for validated XML parsing.
The attacks use and abuse less common features of XML and its parsers. Nevertheless some XML libraries and applications are still vulnerable and even heavy users of XML are surprised by these features. It’s too short sighted to shift all blame on XML parsers and XML libraries for using insecure default settings.
The majority of developers are unacquainted with features such as processing instructions and entity expansions that XML inherited from SGML. After all they properly implement XML specifications.