alt Hacker NewsHow can there be security issues with a public document? Can't you just sign it with a cert like any other piece of data that needs a proven source?
But also let me get this straight, there is an actual EU standard for invoices? Why the does nobody follow this and I have to keep asking people to put the fucking VAT ID onto it like I'm a broken record?
Replies
The concern is that a malicious vendor could send you an evil invoice where the XML either references external entities that get downloaded and allow potential RCE, or where the document contains references to the local execution environment which allow data exfiltration (or both). In theory a properly-secured XML parser shouldn't allow this, but history has shown that's harder than you might think.
Because when some things parse the document they do things like read files from the OS as specified in the document
States have not starting to enforce them until recently. As I understand it the goal is to have all members using them in a couple of years time