HP fortify XML External Entity Injection

问题

Hp fortify shows me a XML external entity injection on the below code:

StringBuilder sb = new StringBuilder();
StringWriter stringWriter = new StringWriter(sb);
xmlSerializer.Serialize(stringWriter, o);
XmlDocument xmlDoc = new XmlDocument();
xmlDoc.LoadXml(stringWriter.ToString());  //bad code
result = xmlDoc.ChildNodes[1].OuterXml;

in the above it was showing the vulnerability in the following line xmlDoc.LoadXml(stringWriter.ToString());

How can I resolve this situation?

回答1:

use xmlDoc.XmlResolver = null; before loading the xml.

回答2:

The XmlDocument object has an XmlResolver object within it that needs to be set to null in versions prior to 4.5.2. In versions 4.5.2 and up, this XmlResolver is set to null by default.

来源：https://stackoverflow.com/questions/42125189/hp-fortify-xml-external-entity-injection

标签

xml

c#-4.0

fortify

xxe

易学教程内所有资源均来自网络或用户发布的内容，如有违反法律规定的内容欢迎反馈！
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!