Prevent XmlReader from expanding XML entities

Question

Is there a way to prevent .NET's XmlReader class from expanding XML entities into their value when reading the content?

For instance, suppose the following XML is used as input:

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE author PUBLIC "ISO 8879:1986//ENTITIES Added Latin 1//EN//XML" "http://www.oasis-open.org/docbook/xmlcharent/0.3/iso-lat1.ent" >
<author>&aacute;</author>

Let's assume it is not possible to reach the external OASIS DTD needed for the expansion of the aacute entity. I would like the reader to read, in sequence, the author element, then the aacute node of type EntityReference, and finally the author end element, without throwing any errors. How can I achieve this?

UPDATE: I also want to prevent the expansion of character entities such as á.

Answer 1

One way to do that is use `XmlTextReader', like this:

using (var reader = new XmlTextReader(@"your url"))
{
    // note this
    reader.EntityHandling = EntityHandling.ExpandCharEntities;
    while (reader.Read())
    {
        // here it will be EntityReference with no exceptions
    }
}

If that is not an option - you can do the same with XmlReader, but some reflection will be required (at least I don't aware of another way):

using (var reader = XmlReader.Create(@"your url", new XmlReaderSettings() {
    DtdProcessing = DtdProcessing.Ignore // or Parse
})) {
     // get internal property which has the same function as above in XmlTextReader
     reader.GetType().GetProperty("EntityHandling", BindingFlags.Instance | BindingFlags.NonPublic).SetValue(reader, EntityHandling.ExpandCharEntities);
     while (reader.Read()) {
          // here it will be EntityReference with no exceptions
     }
 }

Answer 2

XML parsing is dangerous. In some cases it allows to CVEs and Denial-of-Service attacks.

For example CVE-2016-3255

Also it was disscussed on Black Hat EU 2013

The most interested document is MLDTDEntityAttacks that provides Implementations and Recomendations for developers.

Retrieve resources:

<!DOCTYPE roottag [
 <!ENTITY windowsfile SYSTEM "file:///c:/boot.ini">
]>
<roottag>
 <sometag>&windowsfile;</sometag>
</roottag>

DoS:

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE root
  [
  <!ENTITY a0 "test" >
  <!ENTITY a1 "&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;">
  <!ENTITY a2 "&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;">
  <!ENTITY a3 "&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;">
  <!ENTITY a4 "&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;">
  ]>
<root>&a4;</root>

Back to your question.
As @Evk wrote: By setting EntityHandling you can prevent from expanding all entities except CharEntities.

I dont know solution to prevent expand CharEntity except your own XmlReader implementation.

I think you also want prevent parsing & ' < > "

FYI how and where XmlTextReader parses CharEntity

XmlTextReader
ParseElementContent
& case
ParseText
Char entity case
ParseCharRefInline

This function finally parses numeric character entity reference (e.g.   and á)
ParseNumericCharRefInline

This function parses named character entity reference (& ' < > ")
ParseNamedCharRef