nyx/tests/fixtures/xxe/ruby/unsafe_xxe.rb

# Unsafe: tainted XML reaches REXML::Document.new, the legacy default-vulnerable
# pure-Ruby XML parser that resolves external entities by default.
require "rexml/document"

def handle(params)
  body = params["xml"]
  doc = REXML::Document.new(body)
  doc.root.text
end
new capacity bits (#67) 2026-05-07 01:29:31 -04:00			`# Unsafe: tainted XML reaches REXML::Document.new, the legacy default-vulnerable`
			`# pure-Ruby XML parser that resolves external entities by default.`
			`require "rexml/document"`

			`def handle(params)`
			`body = params["xml"]`
			`doc = REXML::Document.new(body)`
			`doc.root.text`
			`end`