1

I am trying to build & develop a Security POC, this code is part of an app that I've extracted into a smaller app because I am having some difficulty with it.

 String str = "<?xml version=\"1.0\"?><!DOCTYPE foo[<!ELEMENT foo ANY> <!ENTITY word \"A\">]><foo>&word;</foo>";
   System.Xml.XmlDocument xDoc = new System.Xml.XmlDocument();  
  xDoc.LoadXml(str);
 xDoc.Save(@"C:\Temp\xdoc.xml");

Consider the xml string contains a DTD entity word, which is referenced in my actual xml. When the document is loaded I would expect the DTD To get processed and therefore replace the entity "word" referred to in my xml with the character string "A". Then write the whole document back out to disk. However when I examine xDoc.xml. The Entity expansion/replacement hasn't happened.

Why not?

vcsjones
  • 138,677
  • 31
  • 291
  • 286
CHowell
  • 85
  • 2
  • 12
  • Your title says XDocument, but you are using XmlDocument in your code. Is it XmlDocument that you are asking about? – vcsjones Sep 27 '13 at 18:30
  • Possible duplicate of http://stackoverflow.com/questions/5391274/does-linq-to-xml-ignore-includes-from-a-dtd – Alireza Sep 27 '13 at 18:42
  • @Alireza - Not quite the same, nor is the answer there particularly helpful. I want to to explicit here know what the problem is with this code. – CHowell Sep 27 '13 at 21:48
  • @Vcsjones - Yes it is XmlDocument I am asking about. – CHowell Sep 27 '13 at 21:49

1 Answers1

2

You can find the following in the documentation of LoadXml method which you use in your code:

This method does not do DTD or Schema validation. If you want validation to occur, use the Load method and pass it an XmlValidatingReader. See XmlDocument for an example of load-time validation

The article, this one and many other provide code examples of DTD validation.

Oleg
  • 220,925
  • 34
  • 403
  • 798