Completely disable xml entity resolution
I misunderstood how the fetch_fun option on xmerl_scan.string
worked. While the previous patch was sufficient to prevent reading local files it still could be DOSed with a billion laughs attack.
Checklist
- [ x ] Adding a changelog: In the
changelog.d
directory, create a file named<code>.<type>
.
Edited by Mae BadAtNames