From 261ea800fbe3bd650a83b1fe7558ba51bd7d0c9e Mon Sep 17 00:00:00 2001 From: Maurits van Rees Date: Mon, 16 Nov 2020 11:58:34 +0100 Subject: [PATCH] For increased security, in the field xml editor do not resolve entities, and remove processing instructions. See https://github.com/plone/Products.CMFPlone/issues/3209 --- news/3209.bugfix | 2 ++ src/collective/easyform/browser/fields.py | 6 +++++- 2 files changed, 7 insertions(+), 1 deletion(-) create mode 100644 news/3209.bugfix diff --git a/news/3209.bugfix b/news/3209.bugfix new file mode 100644 index 00000000..848c2531 --- /dev/null +++ b/news/3209.bugfix @@ -0,0 +1,2 @@ +For increased security, in the modeleditor do not resolve entities, and remove processing instructions. +[maurits] diff --git a/src/collective/easyform/browser/fields.py b/src/collective/easyform/browser/fields.py index 6a49ce41..9db49100 100644 --- a/src/collective/easyform/browser/fields.py +++ b/src/collective/easyform/browser/fields.py @@ -155,9 +155,13 @@ def __call__(self): source = self.request.form.get("source") if source: + # Some safety measures. + # We do not want to load entities, especially file:/// entities. + # Also discard processing instructions. + parser = etree.XMLParser(resolve_entities=False, remove_pis=True) # Is it valid XML? try: - root = etree.fromstring(source) + root = etree.fromstring(source, parser=parser) except etree.XMLSyntaxError as e: return dumps( {