alt Hacker NewsExternal entities in XML[1] were a similar issue back when everyone was using XML for everything, and parsers processed external-entities by default.
1: https://owasp.org/www-community/vulnerabilities/XML_External...
Replies
hinkley • last Thursday at 8:34 PM
At least with external entities you could deny the parser an internet connection and force it to only load external documents from a cache you prepopulated and vetted. Turing completeness is a bullshit idea in document formats.
➕ show 3 replies
XXE should have never existed.
Whoever decided it should be enabled by default should be put into some sort of cybersecurity jail.