commit: ca0859b90f0f3cb9bb369d38d29868de59796c2c
parent 1062185ba03ffa03f0dfcfc11f948285b2ffd610
Author: Mae <Mae@is.badat.dev>
Date: Fri, 4 Aug 2023 22:24:17 +0100
Prevent XML parser from loading external entities
Diffstat:
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/lib/pleroma/web/xml.ex b/lib/pleroma/web/xml.ex
@@ -29,7 +29,10 @@ defmodule Pleroma.Web.XML do
{doc, _rest} =
text
|> :binary.bin_to_list()
- |> :xmerl_scan.string(quiet: true)
+ |> :xmerl_scan.string(
+ quiet: true,
+ fetch_fun: fn _, _ -> raise "Resolving external entities not supported" end
+ )
{:ok, doc}
rescue
