clojure.xml processes XXE by default
clojure.xml by default processes XML external entities. This allows inclusion of external files in the processed XML, both from local file system and from remote servers. This seems like a bad idea when processing untrusted input.
Here's an example that includes /etc/hostname in the result (if you do not have that file on your computer, the result is a FileNotFoundException):
As far as I know, this feature is rarely used and e.g. data.xml disables it by default. Could it be disabled in clojure.xml as well to make it safer by default?
In https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html it is recommended to set
when doing so, the above example fails because it declares a doc-type.
I have opted to not set that feature, but rather chosen to set the other mentioned features to false.