Allow toggling XML External Entity support for XmlParse, isXml

just bumping this up, these per use overrides are available in 5.4.3.2

TryCF is now running 5.4.3.2, however, support for overriding xmlFeatures has been disabled via lucee.xmlfeatures.override.disable=true so isXml() will still return false, xmlParse with throw an error

<cfscript>
    
//trycf has lucee.xmlfeatures.override.disable=true set

str= '<?xml version="1.0" encoding="ISO-8859-1"?>
			<!DOCTYPE hibernate-mapping PUBLIC "-//Hibernate/Hibernate Mapping DTD 3.0//EN" "http://www.hibernate.org/dtd/hibernate-mapping-3.0.dtd">
			<hibernate-mapping></hibernate-mapping>';
			
dump(isXml(str)); // only returns boolean

dump(isXml(str, {
    "secure": true,
	"disallowDoctypeDecl": true,
	"externalGeneralEntities": false
})); // xmlfeatures override ignored

flush;

try {
    dump( xmlParse( str, false, {
		"secure": true,
		"disallowDoctypeDecl": true,
		"externalGeneralEntities": false
	})); // xmlfeatures override ignored
} catch(e){
	echo(e);
}
</cfscript>

2 Likes