尝试在 ANDROID 资源中使用 <!ENTITY 时出现错误:“实体已被引用，但未声明." [英] Trying to use <!ENTITY in ANDROID resources with error: "The entity was referenced, but not declared."

问题描述

我正在按照此解决方案在我的字符串资源文件中使用实体:

和实体:

有人可以提供一个完整的正确例子来使事情奏效吗?我的意思是一个完全可编译的 Android Studio 项目，在单独的文件中包含实体声明.

更新好的，如果你更关注这个 w3schools 链接:

https://www.w3schools.com/xml/xml_dtd_entities.asp

你看到了解决方案:

外部entities.dtd文件包含

然后是新的字符串资源资源:

<资源 xmlns:tools="http://schemas.android.com/tools" tools:ignore="Typos"><string name="ent_devicenamxxe2">&ent_devicename;</string>

我将 <!ENTITY % ent_devicename 更改为 <!ENTITY ent_devicename(不再是 %)我删除了 %ent_devicename;

现在它可以编译，但生成的 APK 似乎忽略了实体值(使用空字符串).所以问题没有解决！

告诉我！

解决方案

TL;DR 此功能已从 Android Studio 中删除. 查看错误报告 此处.

Android Studio 似乎曾经支持过 XML 外部实体.在我看来，Android Studio 目前应该支持外部实体，因为编辑器没有抱怨 XML 的底层处理实际上并没有按预期进行包含，给出了引用但未声明"错误.

虽然我没有发现明确提到 Android Studio 放弃外部实体，但由于发现了一个漏洞，这是有道理的.请参阅 Android 开发人员易受 XXE 数据泄露影响攻击和安全报告.

现在也有可能以某种方式限制对外部实体的访问，但我认为如果是这种情况，Android Studio 会更有帮助.更有可能是因为该漏洞，该功能刚刚被移除.

顺便说一句，我已经尝试过其他答案，但我没有运气 - 只是同样的错误.

我刚刚遇到了一个 Medium讨论 JetBrains 解决 XXE 漏洞的帖子.

第二次编辑

我找到了关于禁用错误跟踪器的参考.

<块引用>

这可能出于安全原因被禁用，它需要在解决之前进行完整的分析，转向 3.2

和

<块引用>

出于安全原因(防止 XXE 攻击)在 Change-Id 中确实禁用了此功能:I2f1978bc5458ba2b2b2d6ffbc9df5710c487a4e4.

它的状态是不会修复预期的行为".如果 Studio 已更改为发出错误消息，表明出于安全原因已禁用该设施，那就太好了.

I'm following this solution to use enetities in my string resource file:

Is it possible to do string substitution in Android resource XML files directly?

I'm using an external file in the resource tree: /res/raw/entities.dtd, its content:

<!ENTITY ent_devicename "MyDeviceName">

In the string.xml resource file:

<!DOCTYPE resources [
    <!ENTITY % ent_devicename SYSTEM "../raw/entities.dtd">
    %ent_devicename;
]>

<resources>
    <string name="name">The name is &ent_devicename;</string>
</resources>

but I get this error:

The entity "ent_devicename" was referenced, but not declared.

As you can see Android Studio recognizes the external entity file:

and the entity:

Can someone provide full a correct example to make things work? I mean a full compilable Android Studio project, with entities declarations in a separated file.

UPDATE Ok, if you pay more attention to this w3schools link:

https://www.w3schools.com/xml/xml_dtd_entities.asp

you see the solution:

the external entities.dtd files contains

<!ENTITY ent_devicename "MyDeviceName">

then the new string resource resource:

<?xml version="1.0" encoding="utf-8"?>

    <!DOCTYPE resources [
        <!ENTITY ent_devicename SYSTEM "../raw/entities.dtd">
        ]>

<resources xmlns:tools="http://schemas.android.com/tools" tools:ignore="Typos">
    <string name="ent_devicenamxxe2">&ent_devicename;</string>

I changed <!ENTITY % ent_devicename to <!ENTITY ent_devicename (no more %) I deleted %ent_devicename;

Now it compiles but the resulting APK seems to ignore the entity values (uses an empty string). So the problem is not resolved!

Let me know!

解决方案

TL;DR This feature has been removed from Android Studio. See the bug report here.

It looks like XML External Entities were supported at one time on Android Studio. It also looks to me like Android Studio currently should be supporting external entities since the editor doesn't complain The underlying processing of the XML doesn't actually do the inclusion as expected giving the "referenced but not declared" error.

Although I have not found an explicit reference to Android Studio abandoning external entities, it would make sense due to a vulnerability that was uncovered. See Android Developers Susceptible to Data Exposure from XXE Attack and the security write-up.

It is also possible that access to external entities are now gated somehow, but I think that Android Studio would be more helpful if that is the case. It is more likely that the functionality was just removed due to the vulnerability.

By the way, I have experimented with the other answers and I have had no luck - just the same error.

Edit:

I just came across a Medium post that discusses JetBrains addressing the XXE vulnerability.

Second edit

I found a reference for the disablement on the bug tracker.

this may have been disabled for security reason, it requires complete analysis before resolution, punting to 3.2

and

This was indeed disabled for security reasons (preventing XXE attacks) in Change-Id: I2f1978bc5458ba2b2b2d6ffbc9df5710c487a4e4.

It's status is "won't fix-intended behavior." It would have been nice if Studio had been changed to emit an error message that the facility was disabled for security reasons.

这篇关于尝试在 ANDROID 资源中使用 &lt;!ENTITY 时出现错误:“实体已被引用，但未声明."的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！