使用DTD解析加载XmlDocument [英] Loading XmlDocument with DTD parsing
本文介绍了使用DTD解析加载XmlDocument的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我正在尝试整理作为工作的安全演示,我想说明为什么DTD实体处理可能是危险的,因此我们想要阻止它。我试图让它在更大的意义上工作,但这里是我遇到困难的代码。
I am trying to put together as security demonstration for work and I want to demonstrate why DTD entity processing can be dangerous, and therefore why we want to prevent it. I am trying to get it working in a larger sense but here is the code I am having difficulty with.
String str = "<?xml version=\"1.0\"?><!DOCTYPE foo [<!ELEMENT foo ANY> <!ENTITY xxe SYSTEM \"http://www.google.com\" >]><root>&xxe;</root>";
String encoded = System.Web.HttpUtility.UrlEncode(str);
System.Xml.XmlDocument xDoc = new System.Xml.XmlDocument();
xDoc.LoadXml(str)
困难在于每次加载我的xml文档时都会遇到异常不期望DOCTYPE令牌。如何在C#中使用LoadXml启用加载DTD,使用实体扩展解析我的DTD?没有例外?
The difficulty is that every time I load my xml document I get an exception that the DOCTYPE token was not expected. How do I enable loading a DTD in C# with LoadXml, parse my DTD with entity expansion? without an exception?
推荐答案
首先,没有DTD与XML分开的东西。有一个DOCTYPE可以使用单独的外部实体文件定义。
DOCTYPE解析是非常不寻常的事情。大多数XML解析器使用DOCTYPE进行验证,但不提供对已解析的DOCTYPE元素的访问。首先,DOCTYPE没有DOM标准,因为它是为XML的其余部分定义的。当我需要DOCTYPE解析(创建元数据,架构)时,我必须开发自己的解析器。有许多Java解析器,但我从来没有听说过.NET的任何东西。您可以尝试在Web上找到一些。
此外,随着XML Schema的标准化,情况变得更糟,因为DOCTYPE的使用已经大大减少了。你也应该考虑迁移到Schema:
http://en.wikipedia .org / wiki / XML_Schema_%28W3C%29 [ ^ ]。
据我所知,DOCTYPE结构可以使用SGML解析器进行解析。请参阅:
http://stackoverflow.com / questions / 3760220 / how-do-i-parse-a-dtd-file [ ^ ],
http://stackoverflow.com/questions/1148083/sgml-parser-net-recommendations [ ^ ],
https://github.com/MindTouch/SGMLReader [ ^ ],
http://en.wikipedia.org/wiki/Standard_Generalized_Markup_Language [< a href =http://en.wikipedia.org/wiki/Standar d_Generalized_Markup_Languagetarget =_ blanktitle =New Window> ^ ]。
-SA
First of all, there is no such thing as DTD separate from XML. There is a DOCTYPE which can be defined using separate "external entity" file.
DOCTYPE parsing is very unusual thing. Most of XML parsers use DOCTYPE for validation but don't provide access to parsed DOCTYPE elements. First of all, there is no a DOM standard for DOCTYPE as it is defined for the rest of XML. When I needed DOCTYPE parsing (to create a metadata, schema), I had to develop my own parser. There is a number of Java parsers, but I never heard of anything for .NET. You can try to find some on the Web.
Moreover, with the standardization of XML Schema, the situation became only worse, because the use of DOCTYPE has been greatly reduced. You, too, should think about migration to Schema:
http://en.wikipedia.org/wiki/XML_Schema_%28W3C%29[^].
I found that, reportedly, DOCTYPE structure can be parsed using a SGML parser. Please see:
http://stackoverflow.com/questions/3760220/how-do-i-parse-a-dtd-file[^],
http://stackoverflow.com/questions/1148083/sgml-parser-net-recommendations[^],
https://github.com/MindTouch/SGMLReader[^],
http://en.wikipedia.org/wiki/Standard_Generalized_Markup_Language[^].
—SA
这篇关于使用DTD解析加载XmlDocument的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
