From ddddb90442c35c425090e7d364546b42c3bc107e Mon Sep 17 00:00:00 2001
From: "ARTECH\\sgrampone" <sgrampone@genexus.com>
Date: Wed, 14 Dec 2022 15:39:39 -0300
Subject: [PATCH 1/6] Change ReadExternalEntities default value to false for
 XmlReader Data Type

---
 dotnet/src/dotnetframework/GxClasses/Domain/GXXmlReadWrite.cs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dotnet/src/dotnetframework/GxClasses/Domain/GXXmlReadWrite.cs b/dotnet/src/dotnetframework/GxClasses/Domain/GXXmlReadWrite.cs
index 3e5981eb1..e5185f0ab 100644
--- a/dotnet/src/dotnetframework/GxClasses/Domain/GXXmlReadWrite.cs
+++ b/dotnet/src/dotnetframework/GxClasses/Domain/GXXmlReadWrite.cs
@@ -1200,7 +1200,7 @@ private class GXResolver: XmlUrlResolver
 		{
 
 			private Uri myself;
-			private bool readExternalEntities = true;
+			private bool readExternalEntities = false;
 			private GXXMLReader xmlreader;
 			private UnparsedEntitiesContainer entities;
 

From 5e53663914d706d86bec951e464c4019cf8e45cd Mon Sep 17 00:00:00 2001
From: "ARTECH\\sgrampone" <sgrampone@genexus.com>
Date: Thu, 15 Dec 2022 11:40:06 -0300
Subject: [PATCH 2/6] Add readExternalEntities property inicialization false on
 contructor method.

---
 dotnet/src/dotnetcore/GxClasses/Domain/GXXmlReadWrite.cs | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/dotnet/src/dotnetcore/GxClasses/Domain/GXXmlReadWrite.cs b/dotnet/src/dotnetcore/GxClasses/Domain/GXXmlReadWrite.cs
index 369c75818..ff5d512fb 100644
--- a/dotnet/src/dotnetcore/GxClasses/Domain/GXXmlReadWrite.cs
+++ b/dotnet/src/dotnetcore/GxClasses/Domain/GXXmlReadWrite.cs
@@ -1198,7 +1198,7 @@ private class GXResolver: XmlUrlResolver
 		{
 
 			private Uri myself;
-			private bool readExternalEntities = true;
+			private bool readExternalEntities = false;
 			private GXXMLReader xmlreader;
 			private UnparsedEntitiesContainer entities;
 
@@ -1230,6 +1230,7 @@ public GXResolver(GXXMLReader reader, UnparsedEntitiesContainer EntitiesContaine
 			{
 				xmlreader = reader;
 				entities = EntitiesContainer;
+				readExternalEntities = false;
 			}
 			
 			public override object GetEntity(Uri absoluteUri, string role, Type ofObjectToReturn)	

From 17c1ea7d79a5de08f89a4c9ec955bf84d13ade44 Mon Sep 17 00:00:00 2001
From: "ARTECH\\sgrampone" <sgrampone@genexus.com>
Date: Fri, 16 Dec 2022 10:47:41 -0300
Subject: [PATCH 3/6] Add readExternalEntities property inicialization false on
 .Net Framework constructor.

---
 dotnet/src/dotnetframework/GxClasses/Domain/GXXmlReadWrite.cs | 1 +
 1 file changed, 1 insertion(+)

diff --git a/dotnet/src/dotnetframework/GxClasses/Domain/GXXmlReadWrite.cs b/dotnet/src/dotnetframework/GxClasses/Domain/GXXmlReadWrite.cs
index e5185f0ab..5cd854707 100644
--- a/dotnet/src/dotnetframework/GxClasses/Domain/GXXmlReadWrite.cs
+++ b/dotnet/src/dotnetframework/GxClasses/Domain/GXXmlReadWrite.cs
@@ -1232,6 +1232,7 @@ public GXResolver(GXXMLReader reader, UnparsedEntitiesContainer EntitiesContaine
 			{
 				xmlreader = reader;
 				entities = EntitiesContainer;
+				readExternalEntities = false;
 			}
 			
 			public override object GetEntity(Uri absoluteUri, string role, Type ofObjectToReturn)	

From c76a6d6ad5c5d0c686514bb65f011f5276523f6e Mon Sep 17 00:00:00 2001
From: "ARTECH\\sgrampone" <sgrampone@genexus.com>
Date: Wed, 28 Dec 2022 13:48:07 -0300
Subject: [PATCH 4/6] Fix default read extenral entities

---
 dotnet/src/dotnetcore/GxClasses/Domain/GXXmlReadWrite.cs      | 4 +++-
 dotnet/src/dotnetframework/GxClasses/Domain/GXXmlReadWrite.cs | 2 +-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/dotnet/src/dotnetcore/GxClasses/Domain/GXXmlReadWrite.cs b/dotnet/src/dotnetcore/GxClasses/Domain/GXXmlReadWrite.cs
index ff5d512fb..123bc5127 100644
--- a/dotnet/src/dotnetcore/GxClasses/Domain/GXXmlReadWrite.cs
+++ b/dotnet/src/dotnetcore/GxClasses/Domain/GXXmlReadWrite.cs
@@ -116,7 +116,7 @@ public GXXMLReader()
 			SimpleElements = 1;
 			RemoveWhiteNodes = 1;
 			RemoveWhiteSpaces = 1;
-			ReadExternalEntities = 1;
+			ReadExternalEntities = 0;
 			_basePath = "";
 
 		}
@@ -228,6 +228,8 @@ private void SetDtdProcessing(XmlReaderSettings treaderSettings, GXResolver reso
 		{
 			if (treaderSettings != null && !resolver.ReadExternalEntities && validationType == ValidationNone)
 				treaderSettings.DtdProcessing = DtdProcessing.Ignore;
+			else
+				treaderSettings.DtdProcessing = DtdProcessing.Parse;
 		}
 
 		public short OpenResponse(IGxHttpClient httpClient)
diff --git a/dotnet/src/dotnetframework/GxClasses/Domain/GXXmlReadWrite.cs b/dotnet/src/dotnetframework/GxClasses/Domain/GXXmlReadWrite.cs
index 5cd854707..09d31010e 100644
--- a/dotnet/src/dotnetframework/GxClasses/Domain/GXXmlReadWrite.cs
+++ b/dotnet/src/dotnetframework/GxClasses/Domain/GXXmlReadWrite.cs
@@ -105,7 +105,7 @@ public GXXMLReader()
 			SimpleElements = 1;
 			RemoveWhiteNodes = 1;
 			RemoveWhiteSpaces = 1;
-			ReadExternalEntities = 1;
+			ReadExternalEntities = 0;
 			_basePath = "";
 
 		}

From a25d07c8fa49d8f1192c0503ff20702dc729b2cd Mon Sep 17 00:00:00 2001
From: cmurialdo <cmurialdo@genexus.com>
Date: Thu, 29 Dec 2022 14:47:14 -0300
Subject: [PATCH 5/6] Add unit test for ReadExternalEntitites

---
 .../DotNetCoreUnitTest.csproj                 |  7 ++
 .../DotNetUnitTest/Domain/XmlReaderTest.cs    | 88 +++++++++++++++++++
 .../test/DotNetUnitTest/DotNetUnitTest.csproj |  6 ++
 .../resources/QueryViewerObjects.xml          | 27 ++++++
 .../resources/QueryViewerObjects.xsd          | 84 ++++++++++++++++++
 5 files changed, 212 insertions(+)
 create mode 100644 dotnet/test/DotNetUnitTest/Domain/XmlReaderTest.cs
 create mode 100644 dotnet/test/DotNetUnitTest/resources/QueryViewerObjects.xml
 create mode 100644 dotnet/test/DotNetUnitTest/resources/QueryViewerObjects.xsd

diff --git a/dotnet/test/DotNetCoreUnitTest/DotNetCoreUnitTest.csproj b/dotnet/test/DotNetCoreUnitTest/DotNetCoreUnitTest.csproj
index f30bea9c7..2e21a70d6 100644
--- a/dotnet/test/DotNetCoreUnitTest/DotNetCoreUnitTest.csproj
+++ b/dotnet/test/DotNetCoreUnitTest/DotNetCoreUnitTest.csproj
@@ -14,6 +14,7 @@
 	    <Compile Include="..\DotNetUnitTest\ConfigMappings\ConfigTest.cs" Link="ConfigMappings\ConfigTest.cs" />		
 	    <Compile Include="..\DotNetUnitTest\Domain\GxHttpClientTest.cs" Link="Domain\GxHttpClientTest.cs" />		
 	    <Compile Include="..\DotNetUnitTest\Domain\ShellTest.cs" Link="Domain\ShellTest.cs" />		
+	    <Compile Include="..\DotNetUnitTest\Domain\XmlReaderTest.cs" Link="Domain\XmlReaderTest.cs" />		
 	    <Compile Include="..\DotNetUnitTest\FileIO\DfrgFunctions.cs" Link="FileIO\DfrgFunctions.cs" />
 		<Compile Include="..\DotNetUnitTest\FileIO\FileSystemTest.cs" Link="FileIO\FileSystemTest.cs" />
 		<Compile Include="..\DotNetUnitTest\FileIO\Xslt.cs" Link="FileIO\Xslt.cs" />
@@ -38,6 +39,9 @@
 		<EmbeddedResource Include="..\DotNetUnitTest\type_SdtItem.cs" Link="type_SdtItem.cs">
 			<CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
 		</EmbeddedResource>
+		<Content Include="..\DotNetUnitTest\resources\QueryViewerObjects.xml" Link="resources\QueryViewerObjects.xml">
+		  <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+		</Content>
 		<Content Include="..\DotNetUnitTest\resources\xml\error.xml" Link="resources\xml\error.xml">
 		  <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
 		</Content>
@@ -159,6 +163,9 @@
 
 
 	<ItemGroup>
+	  <None Include="..\DotNetUnitTest\resources\QueryViewerObjects.xsd" Link="resources\QueryViewerObjects.xsd">
+	    <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+	  </None>
 	  <None Include="..\DotNetUnitTest\resources\xml\xmlTohtml1.xsl" Link="resources\xml\xmlTohtml1.xsl">
 	    <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
 	  </None>
diff --git a/dotnet/test/DotNetUnitTest/Domain/XmlReaderTest.cs b/dotnet/test/DotNetUnitTest/Domain/XmlReaderTest.cs
new file mode 100644
index 000000000..f6346cc88
--- /dev/null
+++ b/dotnet/test/DotNetUnitTest/Domain/XmlReaderTest.cs
@@ -0,0 +1,88 @@
+using System;
+using System.IO;
+using System.Xml;
+using GeneXus.XML;
+using Xunit;
+
+namespace xUnitTesting
+{
+	public class XmlReaderTest
+	{
+		[Fact]
+		public void TestExternalEntitiesEnabled()
+		{
+			TestExternalEntities(1);
+		}
+		[Fact]
+		public void TestExternalEntitiesDisabled()
+		{
+			TestExternalEntities(0);
+		}
+		void TestExternalEntities(int externalEntities)
+		{
+			string xml;
+			string value;
+			GXXMLReader xmlReader;
+
+			using (xmlReader = new GXXMLReader(Directory.GetCurrentDirectory()))
+			{
+				xmlReader.ReadExternalEntities = externalEntities;
+				xml = "";
+				xml += "<!DOCTYPE Envelope [";
+				xml += "<!ELEMENT Envelope ANY >";
+				xml += "<!ENTITY xxe \"Hello\">";
+				xml += "<!ENTITY xxe2 \"&xxe;&xxe;&xxe;&xxe;\">";
+				xml += "] >";
+				xml += "<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xxe=\"issue63212\">";
+				xml += "<soapenv:Header/>";
+				xml += "<soapenv:Body>";
+				xml += "<xxe:helloworld.Execute>";
+				xml += "<xxe:Name>&xxe2;</xxe:Name>";
+				xml += "</xxe:helloworld.Execute>";
+				xml += "</soapenv:Body>";
+				xml += "</soapenv:Envelope>";
+				xmlReader.OpenFromString(xml);
+				Assert.Equal(0, xmlReader.ErrCode);
+				Assert.Equal(string.Empty, xmlReader.ErrDescription);
+				if (!xmlReader.EOF)
+				{
+					xmlReader.Read();
+					Assert.Equal(0, xmlReader.ErrCode);
+					Assert.Equal(string.Empty, xmlReader.ErrDescription);
+					value = xmlReader.Value;
+					if (externalEntities==0)
+						Assert.Equal(string.Empty, value);
+					else
+						Assert.Equal("Envelope", value);
+				}
+				xmlReader.Close();
+			}
+
+		}
+		[Fact]
+		public void TestValidationType()
+		{
+			string value;
+			GXXMLReader xmlReader;
+
+			using (xmlReader = new GXXMLReader(Directory.GetCurrentDirectory()))
+			{
+				xmlReader.ValidationType = GXXMLReader.ValidationSchema;
+				xmlReader.AddSchema("./resources/QueryViewerObjects.xsd", "qv");
+				xmlReader.Open("./resources/QueryViewerObjects.xml");
+				Assert.Equal(string.Empty, xmlReader.ErrDescription);
+				Assert.Equal(0, xmlReader.ErrCode);
+				if (!xmlReader.EOF)
+				{
+					xmlReader.Read();
+					Assert.Equal(0, xmlReader.ErrCode);
+					Assert.Equal(string.Empty, xmlReader.ErrDescription);
+					value = xmlReader.Name;
+					Assert.Equal("Objects", value);
+				}
+				xmlReader.Close();
+			}
+
+		}
+	}
+}
diff --git a/dotnet/test/DotNetUnitTest/DotNetUnitTest.csproj b/dotnet/test/DotNetUnitTest/DotNetUnitTest.csproj
index e23d781a0..38a9f0dc7 100644
--- a/dotnet/test/DotNetUnitTest/DotNetUnitTest.csproj
+++ b/dotnet/test/DotNetUnitTest/DotNetUnitTest.csproj
@@ -68,6 +68,12 @@
     <None Update="resources\bird-thumbnail.jpg">
       <CopyToOutputDirectory>Always</CopyToOutputDirectory>
     </None>
+    <None Update="resources\QueryViewerObjects.xml">
+      <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+    </None>
+    <None Update="resources\QueryViewerObjects.xsd">
+      <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+    </None>
     <None Update="resources\text.txt">
       <CopyToOutputDirectory>Always</CopyToOutputDirectory>
     </None>
diff --git a/dotnet/test/DotNetUnitTest/resources/QueryViewerObjects.xml b/dotnet/test/DotNetUnitTest/resources/QueryViewerObjects.xml
new file mode 100644
index 000000000..cc9119fef
--- /dev/null
+++ b/dotnet/test/DotNetUnitTest/resources/QueryViewerObjects.xml
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Objects xmlns="qv">
+  <Object name="General.UI.SidebarItemsDP" id="1" type="DataProvider" IntegratedSecurityLevel="SecurityLow" xmlns="qv">
+    <DefaultOutput type="OutputTypePivotTable" xmlns="qv" />
+  </Object>
+  <Object name="Cliente_DataProvider" id="2" type="DataProvider" IntegratedSecurityLevel="SecurityLow" xmlns="qv">
+    <DefaultOutput type="OutputTypePivotTable" xmlns="qv" />
+  </Object>
+  <Object name="DataProviderNone" id="7" type="DataProvider" IntegratedSecurityLevel="SecurityNone" xmlns="qv">
+    <DefaultOutput type="OutputTypePivotTable" xmlns="qv" />
+  </Object>
+  <Object name="DataProviderAuthorization" id="8" type="DataProvider" IntegratedSecurityLevel="SecurityHigh" PermissionPrefix="DataProviderAuthorization" xmlns="qv">
+    <DefaultOutput type="OutputTypePivotTable" xmlns="qv" />
+  </Object>
+  <Object name="DataProviderAuthentication" id="9" type="DataProvider" IntegratedSecurityLevel="SecurityLow" xmlns="qv">
+    <DefaultOutput type="OutputTypePivotTable" xmlns="qv" />
+  </Object>
+  <Object name="QueryNone" id="1" type="Query" IntegratedSecurityLevel="SecurityNone" xmlns="qv">
+    <DefaultOutput type="OutputTypePivotTable" xmlns="qv" />
+  </Object>
+  <Object name="QueryAuthentication" id="2" type="Query" IntegratedSecurityLevel="SecurityLow" xmlns="qv">
+    <DefaultOutput type="OutputTypePivotTable" xmlns="qv" />
+  </Object>
+  <Object name="QueryAuthorization" id="3" type="Query" IntegratedSecurityLevel="SecurityHigh" PermissionPrefix="QueryAuthorization" xmlns="qv">
+    <DefaultOutput type="OutputTypePivotTable" xmlns="qv" />
+  </Object>
+</Objects>
\ No newline at end of file
diff --git a/dotnet/test/DotNetUnitTest/resources/QueryViewerObjects.xsd b/dotnet/test/DotNetUnitTest/resources/QueryViewerObjects.xsd
new file mode 100644
index 000000000..94c45a6c8
--- /dev/null
+++ b/dotnet/test/DotNetUnitTest/resources/QueryViewerObjects.xsd
@@ -0,0 +1,84 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"
+		   targetNamespace="qv"
+		   xmlns="qv"
+		   elementFormDefault="qualified">
+	<xs:element name="Objects">
+		<xs:complexType>
+			<xs:sequence>
+				<xs:element name="Object" minOccurs="0" maxOccurs="unbounded">
+					<xs:complexType>
+						<xs:sequence>
+							<xs:element name="DefaultOutput">
+								<xs:complexType>
+									<xs:attribute name="type" type="outputType" use="required"/>
+								</xs:complexType>
+							</xs:element>
+						</xs:sequence>
+						<xs:attribute name="name" type="xs:string" use="required"/>
+						<xs:attribute name="id" type="xs:nonNegativeInteger" use="required"/>
+						<xs:attribute name="type" type="objectType" use="required"/>
+						<xs:attribute name="IntegratedSecurityLevel" type="securityLevel"/>
+						<xs:attribute name="PermissionPrefix" type="xs:string"/>
+					</xs:complexType>
+				</xs:element>
+			</xs:sequence>
+		</xs:complexType>
+	</xs:element>
+	<xs:simpleType name="objectType">
+		<xs:restriction base="xs:string">
+			<xs:enumeration value="Query"/>
+			<xs:enumeration value="DataProvider"/>
+		</xs:restriction>
+	</xs:simpleType>
+	<xs:simpleType name="securityLevel">
+		<xs:restriction base="xs:string">
+			<xs:enumeration value="SecurityNone"/>
+			<xs:enumeration value="SecurityLow"/>
+			<xs:enumeration value="SecurityHigh"/>
+		</xs:restriction>
+	</xs:simpleType>
+	<xs:simpleType name="outputType">
+		<xs:restriction base="xs:string">
+			<xs:enumeration value="OutputTypeCard"/>
+			<xs:enumeration value="OutputTypeMap"/>
+			<xs:enumeration value="OutputTypePivotTable"/>
+			<xs:enumeration value="OutputTypeTable"/>
+			<xs:enumeration value="OutputTypeChartColumn"/>
+			<xs:enumeration value="OutputTypeChartColumn3D"/>
+			<xs:enumeration value="OutputTypeChartStackedColumn"/>
+			<xs:enumeration value="OutputTypeChartStackedColumn3D"/>
+			<xs:enumeration value="OutputTypeChartStackedColumn100"/>
+			<xs:enumeration value="OutputTypeChartBar"/>
+			<xs:enumeration value="OutputTypeChartStackedBar"/>
+			<xs:enumeration value="OutputTypeChartStackedBar100"/>
+			<xs:enumeration value="OutputTypeChartArea"/>
+			<xs:enumeration value="OutputTypeChartStackedArea"/>
+			<xs:enumeration value="OutputTypeChartStackedArea100"/>
+			<xs:enumeration value="OutputTypeChartSmoothArea"/>
+			<xs:enumeration value="OutputTypeChartStepArea"/>
+			<xs:enumeration value="OutputTypeChartLine"/>
+			<xs:enumeration value="OutputTypeChartStackedLine"/>
+			<xs:enumeration value="OutputTypeChartStackedLine100"/>
+			<xs:enumeration value="OutputTypeChartSmoothLine"/>
+			<xs:enumeration value="OutputTypeChartStepLine"/>
+			<xs:enumeration value="OutputTypeChartPie"/>
+			<xs:enumeration value="OutputTypeChartPie3D"/>
+			<xs:enumeration value="OutputTypeChartDoughnut"/>
+			<xs:enumeration value="OutputTypeChartDoughnut3D"/>
+			<xs:enumeration value="OutputTypeChartLinearGauge"/>
+			<xs:enumeration value="OutputTypeChartCircularGauge"/>
+			<xs:enumeration value="OutputTypeChartRadar"/>
+			<xs:enumeration value="OutputTypeChartFilledRadar"/>
+			<xs:enumeration value="OutputTypeChartPolarArea"/>
+			<xs:enumeration value="OutputTypeChartFunnel"/>
+			<xs:enumeration value="OutputTypeChartPyramid"/>
+			<xs:enumeration value="OutputTypeChartColumnLine"/>
+			<xs:enumeration value="OutputTypeChartColumn3DLine"/>
+			<xs:enumeration value="OutputTypeChartTimeline"/>
+			<xs:enumeration value="OutputTypeChartSmoothTimeline"/>
+			<xs:enumeration value="OutputTypeChartStepTimeline"/>
+			<xs:enumeration value="OutputTypeChartSparkline"/>
+		</xs:restriction>
+	</xs:simpleType>
+</xs:schema>
\ No newline at end of file

From 89e89bad883b7e0c10cbd1f86a321575c4b21eba Mon Sep 17 00:00:00 2001
From: cmurialdo <cmurialdo@genexus.com>
Date: Thu, 29 Dec 2022 16:47:59 -0300
Subject: [PATCH 6/6] Temprary restore ReadExternalEntities default true until
 fix unit test.

---
 dotnet/src/dotnetframework/GxClasses/Domain/GXXmlReadWrite.cs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dotnet/src/dotnetframework/GxClasses/Domain/GXXmlReadWrite.cs b/dotnet/src/dotnetframework/GxClasses/Domain/GXXmlReadWrite.cs
index 09d31010e..5cd854707 100644
--- a/dotnet/src/dotnetframework/GxClasses/Domain/GXXmlReadWrite.cs
+++ b/dotnet/src/dotnetframework/GxClasses/Domain/GXXmlReadWrite.cs
@@ -105,7 +105,7 @@ public GXXMLReader()
 			SimpleElements = 1;
 			RemoveWhiteNodes = 1;
 			RemoveWhiteSpaces = 1;
-			ReadExternalEntities = 0;
+			ReadExternalEntities = 1;
 			_basePath = "";
 
 		}