Harden DocxReport and DOMUtils XML parsers against XXE by MarkLee131 · Pull Request #735 · opensagres/xdocreport

MarkLee131 · 2026-06-13T08:28:02Z

Route DocxReport.onBeforePreprocessing and DOMUtils.load through a shared hardened factory and disallow DOCTYPE in SAXXDocPreprocessor. Adds a regression test. Fixes #734.

Route DocxReport.onBeforePreprocessing and DOMUtils.load through a shared hardened factory and disallow DOCTYPE in SAXXDocPreprocessor. Adds a regression test. Fixes opensagres#734.

Harden DocxReport and DOMUtils XML parsers against XXE

2e57955

Route DocxReport.onBeforePreprocessing and DOMUtils.load through a shared hardened factory and disallow DOCTYPE in SAXXDocPreprocessor. Adds a regression test. Fixes opensagres#734.

MarkLee131 mentioned this pull request Jun 13, 2026

XXE when rendering an untrusted DOCX: DocxReport / DOMUtils parse archive entries without entity hardening #734

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Harden DocxReport and DOMUtils XML parsers against XXE#735

Harden DocxReport and DOMUtils XML parsers against XXE#735
MarkLee131 wants to merge 1 commit into
opensagres:masterfrom
MarkLee131:fix/xxe-sibling-parsers

MarkLee131 commented Jun 13, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

MarkLee131 commented Jun 13, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant