Nick Wellnhofer e7802738c6 parser: Don't load external content if only XML_SKIP_IDS is set ...

At some point, the `loadsubset` member was augmented to also control
handling of ID attributes in addition to loading of external DTDs. These
two features are unrelated and shouldn't have been mixed. This mistake
was probably inspired by the misnamed XML_DETECT_IDS flag. As a side
effect, setting XML_SKIP_IDS always enabled loading of external DTDs and
parameter entities.

This change makes it possible to ignore IDs without loading external
content. This is a deliberate API change that improves security and is
unlikely to affect users.

This also makes sure that the new XML_PARSE_SKIP_IDS option doesn't
enable unsafe behavior.

2025-06-22 15:18:43 +02:00

58 KiB

Raw Blame History

View Raw