From 843691609723daec0a5673bcb8a5bfeb2acfc64e Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Sun, 27 Jul 2025 12:55:11 +0200
Subject: [PATCH] doc: Add another warning to XML_PARSE_DTDVALID

While most parts of libxml2, including the parser, are still vulnerable
to such attacks, it is unlikely that DTD validation will ever be fixed.
---
 include/libxml/parser.h | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/include/libxml/parser.h b/include/libxml/parser.h
index 508f37e87..e941e3769 100644
--- a/include/libxml/parser.h
+++ b/include/libxml/parser.h
@@ -1727,6 +1727,9 @@ typedef enum {
      * This option enables DTD validation which requires to load
      * external DTDs and external entities (both general and
      * parameter entities) unless XML_PARSE_NO_XXE was set.
+     *
+     * DTD validation is vulnerable to algorithmic complexity
+     * attacks and should never be enabled with untrusted input.
      */
     XML_PARSE_DTDVALID = 1<<4,
     /**