Hi Nico,

what you describe is the expected behaviour. Please be aware of the recent changes of fn:doc (and also fn:parse-xml) that were made in 11.9.

 

These functions now support options to control the access of external entities, in particular

  - allow-external-entities: whether external entities are permitted (true) or rejected (false), default true

  - dtd: whether external entities are processed (true) or ignored (false), default true.

In fact option dtd is not completely new, but previously its value was taken from the context option DTD, which defaults to false. So with 11.8, you could produce the same directory listing, that you experienced with 11.9, by running this on the document that you provided:

   basex -ODTD=yes "doc('doc.xml')"

Now the options can be supplied per function call, they are independent of the context options, and the defaults are different. To restore the result that you were used to with 11.9, you need to run:

   basex "doc('doc.xml', { 'dtd': false() })"

 

You can now also run this in order to reject any external entity references:


The changes were made to implement the XQuery 4.0 specification of these functions:

   https://qt4cg.org/specifications/xpath-functions-40/Overview.html#func-doc
   https://qt4cg.org/specifications/xpath-functions-40/Overview.html#func-parse-xml

 

This is also described here:

   https://docs.basex.org/12/Standard_Functions#fn:doc
   https://docs.basex.org/12/Standard_Functions#fn:parse-xml

Best regards,
Gunther

Hello everyone on the list!

There is a change between 11.8 and 11.9, related to security settings.
This has to do with the following document:


When parsing this document, BaseX11.8 threw an error with code err:FODC0002, which means that the resource cannot be retrieved.
BaseX 11.9 gives a listing of the root directory of my computer. This can be used to retrieve all files on my computer, which is a security risk.