pySCG investigate on creating CWE-91 Prevent XML injection

Missing code examples that are suitable in terms of length and need to install additional modules. 

XML as such is similar to html not python but we do have rule's on html such as CWE-472.
Challenging to avoid using a module from outside of the standard lib in the code examples.

CVEs that could lead to an alternative code example (CWE-91):

[CVE-2021-36359 (nist.gov)](https://nvd.nist.gov/vuln/detail/CVE-2021-36359)
[CVE-2018-1000632 (nist.gov)](https://nvd.nist.gov/vuln/detail/CVE-2018-1000632)
[CVE-2022-46751 (nist.gov)](https://nvd.nist.gov/vuln/detail/CVE-2022-46751)
Its mostly an issue due to disabling of a DTD or lack of using one and lack of input sanitation. Subsequently an attacker has a greater choice in how the xml is arranged. Input sanitation can furthermore limit the attack vector.




Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

pySCG investigate on creating CWE-91 Prevent XML injection #986

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

pySCG investigate on creating CWE-91 Prevent XML injection #986

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions