> I dunno why nobody used things like external includes in XML In practice they ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		mpyne 30 days ago \| parent \| context \| favorite \| on: Worst of breed software > I dunno why nobody used things like external includes in XML In practice they led to fairly severe security vulnerabilities. "XXE" used to be an OWASP Web Top 10 issue, and the reason it dropped off the list was because XML mostly went away, not because it stopped being a thing. > But at least, I think XML doesn't have macro expansions, so that's a win. XML, like HTML, has entities that can be expanded. Unlike HTML you can define them in XML and this led to the "Billion laughs attack": https://en.wikipedia.org/wiki/Billion_laughs_attack

marcosdumay 30 days ago [–]

> In practice they led to fairly severe security vulnerabilities.

Well, that seems to not matter for the people writing YAML.

> XML, like HTML, has entities that can be expanded.

Lol! Of course I'd be wrong about that.

Expecting XML not to have a well known security vulnerability is a losing proposition.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact