Change ReadExternalEntities Default value

dotnet/src/dotnetcore/GxClasses/Domain/GXXmlReadWrite.cs

@@ -113,7 +113,7 @@ public GXXMLReader()
 			SimpleElements = 1;
 			RemoveWhiteNodes = 1;
 			RemoveWhiteSpaces = 1;
-			ReadExternalEntities = 1;
+			ReadExternalEntities = 0;
 			_basePath = "";
 
 		}
@@ -225,6 +225,8 @@ private void SetDtdProcessing(XmlReaderSettings treaderSettings, GXResolver reso
 		{
 			if (treaderSettings != null && !resolver.ReadExternalEntities && validationType == ValidationNone)
 				treaderSettings.DtdProcessing = DtdProcessing.Ignore;
+			else
+				treaderSettings.DtdProcessing = DtdProcessing.Parse;
 		}
 
 		public short OpenResponse(IGxHttpClient httpClient)
@@ -1187,7 +1189,7 @@ private class GXResolver: XmlUrlResolver
 		{
 
 			private Uri myself;
-			private bool readExternalEntities = true;
+			private bool readExternalEntities = false;
 			private GXXMLReader xmlreader;
 			private UnparsedEntitiesContainer entities;
 
@@ -1219,6 +1221,7 @@ public GXResolver(GXXMLReader reader, UnparsedEntitiesContainer EntitiesContaine
 			{
 				xmlreader = reader;
 				entities = EntitiesContainer;
+				readExternalEntities = false;
 			}
 
 			public override object GetEntity(Uri absoluteUri, string role, Type ofObjectToReturn)	

dotnet/src/dotnetframework/GxClasses/Domain/GXXmlReadWrite.cs

@@ -1189,7 +1189,7 @@ private class GXResolver: XmlUrlResolver
 		{
 
 			private Uri myself;
-			private bool readExternalEntities = true;
+			private bool readExternalEntities = false;
 			private GXXMLReader xmlreader;
 			private UnparsedEntitiesContainer entities;
 
@@ -1221,6 +1221,7 @@ public GXResolver(GXXMLReader reader, UnparsedEntitiesContainer EntitiesContaine
 			{
 				xmlreader = reader;
 				entities = EntitiesContainer;
+				readExternalEntities = false;
 			}
 
 			public override object GetEntity(Uri absoluteUri, string role, Type ofObjectToReturn)	

dotnet/test/DotNetCoreUnitTest/DotNetCoreUnitTest.csproj

@@ -18,6 +18,7 @@
 	    <Compile Include="..\DotNetUnitTest\Domain\GxGenericDictionaryTest.cs" Link="Domain\GxGenericDictionaryTest.cs" />		
 	    <Compile Include="..\DotNetUnitTest\Domain\GxHttpClientTest.cs" Link="Domain\GxHttpClientTest.cs" />		
 	    <Compile Include="..\DotNetUnitTest\Domain\ShellTest.cs" Link="Domain\ShellTest.cs" />		
+	    <Compile Include="..\DotNetUnitTest\Domain\XmlReaderTest.cs" Link="Domain\XmlReaderTest.cs" />		
 	    <Compile Include="..\DotNetUnitTest\Domain\TimeZoneTest.cs" Link="Domain\TimeZoneTest.cs" />		
 	    <Compile Include="..\DotNetUnitTest\FileIO\DfrgFunctions.cs" Link="FileIO\DfrgFunctions.cs" />
 		<Compile Include="..\DotNetUnitTest\FileIO\FileSystemTest.cs" Link="FileIO\FileSystemTest.cs" />
@@ -45,6 +46,9 @@
 		<EmbeddedResource Include="..\DotNetUnitTest\type_SdtItem.cs" Link="type_SdtItem.cs">
 			<CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
 		</EmbeddedResource>
+		<Content Include="..\DotNetUnitTest\resources\QueryViewerObjects.xml" Link="resources\QueryViewerObjects.xml">
+		  <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+		</Content>
 		<Content Include="..\DotNetUnitTest\resources\xml\error.xml" Link="resources\xml\error.xml">
 		  <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
 		</Content>
@@ -172,6 +176,9 @@
 
 
 	<ItemGroup>
+	  <None Include="..\DotNetUnitTest\resources\QueryViewerObjects.xsd" Link="resources\QueryViewerObjects.xsd">
+	    <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+	  </None>
 	  <None Include="..\DotNetUnitTest\resources\xml\xmlTohtml1.xsl" Link="resources\xml\xmlTohtml1.xsl">
 	    <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
 	  </None>

dotnet/test/DotNetUnitTest/Domain/XmlReaderTest.cs

@@ -0,0 +1,88 @@
+using System;
+using System.IO;
+using System.Xml;
+using GeneXus.XML;
+using Xunit;
+
+namespace xUnitTesting
+{
+	public class XmlReaderTest
+	{
+		[Fact]
+		public void TestExternalEntitiesEnabled()
+		{
+			TestExternalEntities(1);
+		}
+		[Fact]
+		public void TestExternalEntitiesDisabled()
+		{
+			TestExternalEntities(0);
+		}
+		void TestExternalEntities(int externalEntities)
+		{
+			string xml;
+			string value;
+			GXXMLReader xmlReader;
+
+			using (xmlReader = new GXXMLReader(Directory.GetCurrentDirectory()))
+			{
+				xmlReader.ReadExternalEntities = externalEntities;
+				xml = "";
+				xml += "<!DOCTYPE Envelope [";
+				xml += "<!ELEMENT Envelope ANY >";
+				xml += "<!ENTITY xxe \"Hello\">";
+				xml += "<!ENTITY xxe2 \"&xxe;&xxe;&xxe;&xxe;\">";
+				xml += "] >";
+				xml += "<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xxe=\"issue63212\">";
+				xml += "<soapenv:Header/>";
+				xml += "<soapenv:Body>";
+				xml += "<xxe:helloworld.Execute>";
+				xml += "<xxe:Name>&xxe2;</xxe:Name>";
+				xml += "</xxe:helloworld.Execute>";
+				xml += "</soapenv:Body>";
+				xml += "</soapenv:Envelope>";
+				xmlReader.OpenFromString(xml);
+				Assert.Equal(0, xmlReader.ErrCode);
+				Assert.Equal(string.Empty, xmlReader.ErrDescription);
+				if (!xmlReader.EOF)
+				{
+					xmlReader.Read();
+					Assert.Equal(0, xmlReader.ErrCode);
+					Assert.Equal(string.Empty, xmlReader.ErrDescription);
+					value = xmlReader.Value;
+					if (externalEntities==0)
+						Assert.Equal(string.Empty, value);
+					else
+						Assert.Equal("Envelope", value);
+				}
+				xmlReader.Close();
+			}
+
+		}
+		[Fact]
+		public void TestValidationType()
+		{
+			string value;
+			GXXMLReader xmlReader;
+
+			using (xmlReader = new GXXMLReader(Directory.GetCurrentDirectory()))
+			{
+				xmlReader.ValidationType = GXXMLReader.ValidationSchema;
+				xmlReader.AddSchema("./resources/QueryViewerObjects.xsd", "qv");
+				xmlReader.Open("./resources/QueryViewerObjects.xml");
+				Assert.Equal(string.Empty, xmlReader.ErrDescription);
+				Assert.Equal(0, xmlReader.ErrCode);
+				if (!xmlReader.EOF)
+				{
+					xmlReader.Read();
+					Assert.Equal(0, xmlReader.ErrCode);
+					Assert.Equal(string.Empty, xmlReader.ErrDescription);
+					value = xmlReader.Name;
+					Assert.Equal("Objects", value);
+				}
+				xmlReader.Close();
+			}
+
+		}
+	}
+}

dotnet/test/DotNetUnitTest/DotNetUnitTest.csproj

@@ -122,6 +122,12 @@
     <None Update="resources\bird-thumbnail.jpg">
       <CopyToOutputDirectory>Always</CopyToOutputDirectory>
     </None>
+    <None Update="resources\QueryViewerObjects.xml">
+      <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+    </None>
+    <None Update="resources\QueryViewerObjects.xsd">
+      <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+    </None>
     <None Update="resources\text.txt">
       <CopyToOutputDirectory>Always</CopyToOutputDirectory>
     </None>

dotnet/test/DotNetUnitTest/resources/QueryViewerObjects.xml

@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Objects xmlns="qv">
+  <Object name="General.UI.SidebarItemsDP" id="1" type="DataProvider" IntegratedSecurityLevel="SecurityLow" xmlns="qv">
+    <DefaultOutput type="OutputTypePivotTable" xmlns="qv" />
+  </Object>
+  <Object name="Cliente_DataProvider" id="2" type="DataProvider" IntegratedSecurityLevel="SecurityLow" xmlns="qv">
+    <DefaultOutput type="OutputTypePivotTable" xmlns="qv" />
+  </Object>
+  <Object name="DataProviderNone" id="7" type="DataProvider" IntegratedSecurityLevel="SecurityNone" xmlns="qv">
+    <DefaultOutput type="OutputTypePivotTable" xmlns="qv" />
+  </Object>
+  <Object name="DataProviderAuthorization" id="8" type="DataProvider" IntegratedSecurityLevel="SecurityHigh" PermissionPrefix="DataProviderAuthorization" xmlns="qv">
+    <DefaultOutput type="OutputTypePivotTable" xmlns="qv" />
+  </Object>
+  <Object name="DataProviderAuthentication" id="9" type="DataProvider" IntegratedSecurityLevel="SecurityLow" xmlns="qv">
+    <DefaultOutput type="OutputTypePivotTable" xmlns="qv" />
+  </Object>
+  <Object name="QueryNone" id="1" type="Query" IntegratedSecurityLevel="SecurityNone" xmlns="qv">
+    <DefaultOutput type="OutputTypePivotTable" xmlns="qv" />
+  </Object>
+  <Object name="QueryAuthentication" id="2" type="Query" IntegratedSecurityLevel="SecurityLow" xmlns="qv">
+    <DefaultOutput type="OutputTypePivotTable" xmlns="qv" />
+  </Object>
+  <Object name="QueryAuthorization" id="3" type="Query" IntegratedSecurityLevel="SecurityHigh" PermissionPrefix="QueryAuthorization" xmlns="qv">
+    <DefaultOutput type="OutputTypePivotTable" xmlns="qv" />
+  </Object>
+</Objects>

dotnet/test/DotNetUnitTest/resources/QueryViewerObjects.xsd

@@ -0,0 +1,84 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"
+		   targetNamespace="qv"
+		   xmlns="qv"
+		   elementFormDefault="qualified">
+	<xs:element name="Objects">
+		<xs:complexType>
+			<xs:sequence>
+				<xs:element name="Object" minOccurs="0" maxOccurs="unbounded">
+					<xs:complexType>
+						<xs:sequence>
+							<xs:element name="DefaultOutput">
+								<xs:complexType>
+									<xs:attribute name="type" type="outputType" use="required"/>
+								</xs:complexType>
+							</xs:element>
+						</xs:sequence>
+						<xs:attribute name="name" type="xs:string" use="required"/>
+						<xs:attribute name="id" type="xs:nonNegativeInteger" use="required"/>
+						<xs:attribute name="type" type="objectType" use="required"/>
+						<xs:attribute name="IntegratedSecurityLevel" type="securityLevel"/>
+						<xs:attribute name="PermissionPrefix" type="xs:string"/>
+					</xs:complexType>
+				</xs:element>
+			</xs:sequence>
+		</xs:complexType>
+	</xs:element>
+	<xs:simpleType name="objectType">
+		<xs:restriction base="xs:string">
+			<xs:enumeration value="Query"/>
+			<xs:enumeration value="DataProvider"/>
+		</xs:restriction>
+	</xs:simpleType>
+	<xs:simpleType name="securityLevel">
+		<xs:restriction base="xs:string">
+			<xs:enumeration value="SecurityNone"/>
+			<xs:enumeration value="SecurityLow"/>
+			<xs:enumeration value="SecurityHigh"/>
+		</xs:restriction>
+	</xs:simpleType>
+	<xs:simpleType name="outputType">
+		<xs:restriction base="xs:string">
+			<xs:enumeration value="OutputTypeCard"/>
+			<xs:enumeration value="OutputTypeMap"/>
+			<xs:enumeration value="OutputTypePivotTable"/>
+			<xs:enumeration value="OutputTypeTable"/>
+			<xs:enumeration value="OutputTypeChartColumn"/>
+			<xs:enumeration value="OutputTypeChartColumn3D"/>
+			<xs:enumeration value="OutputTypeChartStackedColumn"/>
+			<xs:enumeration value="OutputTypeChartStackedColumn3D"/>
+			<xs:enumeration value="OutputTypeChartStackedColumn100"/>
+			<xs:enumeration value="OutputTypeChartBar"/>
+			<xs:enumeration value="OutputTypeChartStackedBar"/>
+			<xs:enumeration value="OutputTypeChartStackedBar100"/>
+			<xs:enumeration value="OutputTypeChartArea"/>
+			<xs:enumeration value="OutputTypeChartStackedArea"/>
+			<xs:enumeration value="OutputTypeChartStackedArea100"/>
+			<xs:enumeration value="OutputTypeChartSmoothArea"/>
+			<xs:enumeration value="OutputTypeChartStepArea"/>
+			<xs:enumeration value="OutputTypeChartLine"/>
+			<xs:enumeration value="OutputTypeChartStackedLine"/>
+			<xs:enumeration value="OutputTypeChartStackedLine100"/>
+			<xs:enumeration value="OutputTypeChartSmoothLine"/>
+			<xs:enumeration value="OutputTypeChartStepLine"/>
+			<xs:enumeration value="OutputTypeChartPie"/>
+			<xs:enumeration value="OutputTypeChartPie3D"/>
+			<xs:enumeration value="OutputTypeChartDoughnut"/>
+			<xs:enumeration value="OutputTypeChartDoughnut3D"/>
+			<xs:enumeration value="OutputTypeChartLinearGauge"/>
+			<xs:enumeration value="OutputTypeChartCircularGauge"/>
+			<xs:enumeration value="OutputTypeChartRadar"/>
+			<xs:enumeration value="OutputTypeChartFilledRadar"/>
+			<xs:enumeration value="OutputTypeChartPolarArea"/>
+			<xs:enumeration value="OutputTypeChartFunnel"/>
+			<xs:enumeration value="OutputTypeChartPyramid"/>
+			<xs:enumeration value="OutputTypeChartColumnLine"/>
+			<xs:enumeration value="OutputTypeChartColumn3DLine"/>
+			<xs:enumeration value="OutputTypeChartTimeline"/>
+			<xs:enumeration value="OutputTypeChartSmoothTimeline"/>
+			<xs:enumeration value="OutputTypeChartStepTimeline"/>
+			<xs:enumeration value="OutputTypeChartSparkline"/>
+		</xs:restriction>
+	</xs:simpleType>
+</xs:schema>