问题
I am trying to build & develop a Security POC, this code is part of an app that I've extracted into a smaller app because I am having some difficulty with it.
String str = "<?xml version=\"1.0\"?><!DOCTYPE foo[<!ELEMENT foo ANY> <!ENTITY word \"A\">]><foo>&word;</foo>";
System.Xml.XmlDocument xDoc = new System.Xml.XmlDocument();
xDoc.LoadXml(str);
xDoc.Save(@"C:\Temp\xdoc.xml");
Consider the xml string contains a DTD entity word, which is referenced in my actual xml. When the document is loaded I would expect the DTD To get processed and therefore replace the entity "word" referred to in my xml with the character string "A". Then write the whole document back out to disk. However when I examine xDoc.xml. The Entity expansion/replacement hasn't happened.
Why not?
回答1:
You can find the following in the documentation of LoadXml method which you use in your code:
This method does not do DTD or Schema validation. If you want validation to occur, use the
Loadmethod and pass it anXmlValidatingReader. SeeXmlDocumentfor an example of load-time validation
The article, this one and many other provide code examples of DTD validation.
来源:https://stackoverflow.com/questions/19057651/xmldocument-load-not-processing-dtd