For increased security, in the field xml editor do not resolve entiti…

…es, and remove processing instructions. See plone/Products.CMFPlone#3209
collective · Nov 16, 2020 · 261ea80 · 261ea80
1 parent 5585125
commit 261ea80
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 1 deletion.
diff --git a/news/3209.bugfix b/news/3209.bugfix
@@ -0,0 +1,2 @@
+For increased security, in the modeleditor do not resolve entities, and remove processing instructions.
+[maurits]
diff --git a/src/collective/easyform/browser/fields.py b/src/collective/easyform/browser/fields.py
@@ -155,9 +155,13 @@ def __call__(self):
 
         source = self.request.form.get("source")
         if source:
+            # Some safety measures.
+            # We do not want to load entities, especially file:/// entities.
+            # Also discard processing instructions.
+            parser = etree.XMLParser(resolve_entities=False, remove_pis=True)
             # Is it valid XML?
             try:
-                root = etree.fromstring(source)
+                root = etree.fromstring(source, parser=parser)
             except etree.XMLSyntaxError as e:
                 return dumps(
                     {
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		For increased security, in the modeleditor do not resolve entities, and remove processing instructions.
		[maurits]