user3089816
Reputation: 191
HP fortify XML External Entity Injection
Hp fortify shows me a XML external entity injection on the below code:
StringBuilder sb = new StringBuilder();
StringWriter stringWriter = new StringWriter(sb);
xmlSerializer.Serialize(stringWriter, o);
XmlDocument xmlDoc = new XmlDocument();
xmlDoc.LoadXml(stringWriter.ToString()); //bad code
result = xmlDoc.ChildNodes[1].OuterXml;
in the above it was showing the vulnerability in the following line xmlDoc.LoadXml(stringWriter.ToString());
How can I resolve this situation?
Upvotes: 5
Views: 6179
Answers (2)
chitra_asks
Reputation: 1
The XmlDocument object has an XmlResolver object within it that needs to be set to null in versions prior to 4.5.2. In versions 4.5.2 and up, this XmlResolver is set to null by default.
Upvotes: 0
Related Questions
- Fortify Command Injection fix
- Are XML parsers safe from XML External Entity (XML) injection in .NET Core?
- Fortify fix for XML External Entity Injection
- XML Injection C#
- Preventing XXE (External XML Entity) Injection with Xerces 2
- XML External Entity injection in xsd upload
- Process XML in C# using external entity file
- How to avoid XML injection
- How to use external entities in XML?
- XML Injection attacks