With ToT libxml2, I'm seeing http/tests/security/xss-DENIED-xml-external-entity.xhtml fail because it doesn't even attempt to load the file, and thus doesn't generate a failure message. <rdar://problem/13047266>
The change in behavior was <https://git.gnome.org/browse/libxml2/commit/?id=4629ee02>.
Created attachment 197394 [details] proposed fix There are many differences between createStringParser and createMemoryParser. I'm only fixing one, because I don't know if any of the other differences are intentional. Notably, I'm not adding XML_PARSE_NODICT - I checked the history, and I couldn't find the reason why createMemoryParser uses it.
Comment on attachment 197394 [details] proposed fix View in context: https://bugs.webkit.org/attachment.cgi?id=197394&action=review > Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp:506 > + xmlCtxtUseOptions(parser, XML_PARSE_NOENT); It might be nice to have a comment explaining why this is the right option to use. > Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp:531 > // Copy the sax handler Wow, lame comment. > Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp:534 > xmlCtxtUseOptions(parser, XML_PARSE_NODICT | XML_PARSE_NOENT); It might still be nice to have a comment explaining why these are the right options to use.
Committed <http://trac.webkit.org/r148144>. I changed comments a little, but I don't understand this code enough to explain everything about it.
*** Bug 104680 has been marked as a duplicate of this bug. ***