Christian Heimes  committed d96b56e

more thanks and explain others

  • Participants
  • Parent commits 96a333e
  • Branches default

Comments (0)

Files changed (1)

 You should keep in mind that XSLT is a Turing complete language. Never
 process XSLT code from unknown or untrusted source! XSLT processors may
 allow you to interact with external resources in ways you can't even imagine.
+Some processors even support extensions that allow read/write access to file
+system, access to JRE objects or scripting with Jython.
 Example from `Attacking XML Security`_ for Xalan-J::
 Other languages / frameworks
+Several other programming languages and frameworks are vulnerable as well. A
+couple of them are affected by the fact that libxml2 up to 2.9.0 has no
+protection against quadratic blowup attacks. Most of them have potential
+dangerous default settings for entity expansion and external entities, too.
 Perl's XML::Simple is vulnerable to quadratic entity expansion and external
-entity expansion (both local and remote)
+entity expansion (both local and remote).
   report and assistance.
 Thierry Carrez (OpenStack)
+  Many thanks to Thierry for his report to the Python Security Response
+  Team on behalf of the OpenStack security team.
 Carl Meyer (Django)
+  Many thanks to Carl for his report to PSRT on behalf of the Django security
+  team.
 Daniel Veillard (libxml2)
+  Many thanks to Daniel for his insight and assistance with libxml2.
 semantics GmbH (
   Many thanks to my employer semantics for letting me work on the issue