惠普加强XML外部实体注入 [英] HP fortify XML External Entity Injection
本文介绍了惠普加强XML外部实体注入的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
Hp fortify向我展示了以下代码上的XML外部实体注入:
Hp fortify shows me a XML external entity injection on the below code:
StringBuilder sb = new StringBuilder();
StringWriter stringWriter = new StringWriter(sb);
xmlSerializer.Serialize(stringWriter, o);
XmlDocument xmlDoc = new XmlDocument();
xmlDoc.LoadXml(stringWriter.ToString()); //bad code
result = xmlDoc.ChildNodes[1].OuterXml;
在上面的 xmlDoc.LoadXml(stringWriter.ToString());
in the above it was showing the vulnerability in the following line xmlDoc.LoadXml(stringWriter.ToString());
我该如何解决这种情况?
How can I resolve this situation?
推荐答案
使用xmlDoc.XmlResolver = null;加载xml之前.
use xmlDoc.XmlResolver = null; before loading the xml.
这篇关于惠普加强XML外部实体注入的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
