4ppsec
commented
5 years ago This is probably intentional. To fix: in libinjection_xss.c:
-
for <?xml : in line
#489, change the return from 1 to 0 -
for <DOCTYPE: in line
#426, change the return from 1 to 0.
However, make sure you are not vulnerable to XXE attacks
XSS library seems to be blocking anything that begins with "<xml" or "<?xml version". As these are common string appears at beginning of XML content, is it possible to adjust XSS lib to accommodate that?
Thank you for your time.