The issue in my message from 2 May still exists in BaseX 12.
The issue had to do with the following document:
<!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///" > ]> <foo>&xxe;</foo>
This returns a document with a listing of the root of my file system. From there, I can enter sub-directories and extract files. This is a well-known external entity injection [https://portswigger.net/web-security/xxe#exploiting-xxe-to-retrieve-files]. This is present in both the standard and the internal parser. Currently, I can prevent this by running BaseX as a user with few permissions, but it would be better to be able to prevent this kind of entity expansion.
For my application, I need to process files sent by external users. And before that, I need to pass the security checks that my client performs.
Is this considered by other BaseX users to be a vulnerability? Why was it not present in BaseX 11.8? How (if at all) can it be solved?