Sync generated files ("make sync")

hartwork · hartwork · commit 4cf4159771e6 · 2025-11-25T21:06:49.000+01:00
diff --git a/doc/xml-security/index.html b/doc/xml-security/index.html
@@ -105,13 +105,21 @@ <h1><a href="../../doc/xml-security/">XML Security</a></h1>
 </blockquote>
 <h1>Overview</h1>
 <ul>
+<li><a href="#external-entities">External entities (XXE)</a></li>
 <li><a href="#billion-laughs">Billion laughs attack</a></li>
-<li><a href="#external-entities">External entities</a></li>
 </ul>
+<h1><a name="external-entities"></a> External entities (XXE)</h1>
+<p>XML eXternal Entity (XXE) vulnerabilities are a common security problem in applications that parse XML
+files.</p>
+<p>XXE attacks rely on accessing files via <code>file://</code> URLs. Some variations (Blind XXE) also utilize access
+to remote URLs (e.g, <code>https://</code>, <code>ftp://</code>). By default, Expat does not access external URLs (both local
+and remote) and is, therefore, not affected by XXE.</p>
+<p>Expat only supports accessing URLs if a URL handler is configured via
+<a href="https://libexpat.github.io/doc/api/latest/#XML_SetExternalEntityRefHandler"><code>XML_SetExternalEntityRefHandler</code></a>.
+Configuring a URL handler is therefore risky and should not be done if untrusted XML input is
+expected.</p>
 <h1><a name="billion-laughs"></a> Billion laughs attack</h1>
 <p>TODO</p>
-<h1><a name="external-entities"></a> External entities</h1>
-<p>TODO</p>
 </div>
         </div>
 
