Entity declarations define shortcuts to commonly used text or special characters and may. An entity declaration may define either an internal or external entity. For internal entities, the content of the entity is given in the declaration. For external entities, the content is specified by a Uniform Resource Identifier (URI).
...
An XML external entity (XXE) attack occurs when XML input containing a reference to an external entity is processed by a an improperly configured XML parser. An attacker might use an XXE attack to gain access to sensitive information by manipulating the URI of the entity to refer to files on the local file system containing sensitive data such as passwords or private user data. An attacker might launch a denial-of-service attack, for example, by specifying /dev/random or /dev/tty as input URIs can crash or indefinitely block a program.
...
Related Guidelines
| CERT Perl Secure Coding Standard | IDS33-PL. Sanitize untrusted data passed across a trust boundary |
Injection [RST] | |
CWE-116, Improper encoding or escaping of output |
...
A Guide to Building Secure Web Applications and Web Services | |
[W3C 2008] | 4.4.3, "Included If Validating" |
...
Rule 00: Input Validation and Data Sanitization (IDS) Rule 00: Input Validation and Data Sanitization (IDS)