...
When an XML processor recognizes a reference to a parsed entity, to validate the document, the processor MUST include its replacement text. If the entity is external, and the processor is not attempting to validate the XML document, the processor MAY, but need not, include the entity's replacement text.
Because inclusion of replacement text from an external entity is optional, not all XML processors are vulnerable to external entity attacks during validation.
An XML external entity (XXE) attack occurs when XML input containing a reference to an external entity is processed by a improperly configured XML parser. An attacker might use an XXE attack to gain access to sensitive information by manipulating the URI of the entity to refer to files on the local file system containing sensitive data such as passwords or private user data. An attacker might launch a denial-of-service attack, for example, by specifying /dev/random or /dev/tty as input URIs can crash or indefinitely block a program. Because inclusion of replacement text from an external entity is optional, not all XML processors are vulnerable to external entity attacks.
Noncompliant Code Example
...