mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-27 20:29:39 +02:00
11 lines
426 B
Ruby
11 lines
426 B
Ruby
# Unsafe: tainted XML reaches Nokogiri::XML with the NOENT option flag,
|
|
# enabling external-entity expansion (XXE). Nokogiri ≥ 1.10 is XXE-safe
|
|
# by default, so the gate fires only when an unsafe option flag is passed
|
|
# explicitly at the activation arg position.
|
|
require "nokogiri"
|
|
|
|
def handle(params)
|
|
body = params["xml"]
|
|
doc = Nokogiri::XML(body, nil, "UTF-8", Nokogiri::XML::ParseOptions::NOENT)
|
|
doc.root.text
|
|
end
|