Thanks, Gunther, for the response.

@Nico: In invite you to join the ongoing discussion on sane/safe defaults for the fn:doc and fn:parse-xml functions in the qtspecs repository [1]. User feedback is always appreciated.

Best,
Christian

[1] https://github.com/qt4cg/qtspecs/issues/2034


Von: Gunther Rademacher via BaseX-Talk <basex-talk@mailman.uni-konstanz.de>
Gesendet: Donnerstag, Juli 3, 2025 7:28:14 PM
An: nverwer@rakensi.com <nverwer@rakensi.com>; basex-talk@mailman.uni-konstanz.de <basex-talk@mailman.uni-konstanz.de>
Betreff: [basex-talk] Re: Security problem in 11.9?

Hi Nico,

I’ve pasted my reply from May 3 below, in case it was missed. From my
perspective, that should address the issue - please let me know if you
see it differently.

Best regards,
Gunther



>    Gesendet: Samstag, 3. Mai 2025 um 01:19
>    Von: "Gunther Rademacher" <grd@gmx.net>
>    An: nverwer@rakensi.com, basex-talk@mailman.uni-konstanz.de
>
>    Betreff: Re: [basex-talk] Security problem in 11.9?
>
>    Hi Nico,
>
>    what you describe is the expected behaviour. Please be aware of the
>    recent changes of fn:doc (and also fn:parse-xml) that were made in
>    11.9.
>    
>    These functions now support options to control the access of
>    external entities, in particular
>
>      - allow-external-entities: whether external entities are
>        permitted (true) or rejected (false), default true
>      - dtd: whether external entities are processed (true) or
>        ignored (false), default true.
>
>    In fact option dtd is not completely new, but previously its value
>    was taken from the context option DTD, which defaults to false. So
>    with 11.8, you could produce the same directory listing, that you
>    experienced with 11.9, by running this on the document that you
>    provided:
>
>       basex -ODTD=yes "doc('doc.xml')"
>
>    Now the options can be supplied per function call, they are
>    independent of the context options, and the defaults are different.
>    To restore the result that you were used to with 11.9, you need to
>    run:
>
>       basex "doc('doc.xml', { 'dtd': false() })"
>    
>    You can now also run this in order to reject any external entity
>    references:
>
>       basex "doc('doc.xml', { 'allow-external-entities': false() })"
>
>    The changes were made to implement the XQuery 4.0 specification
>    of these functions:
>
>       https://qt4cg.org/specifications/xpath-functions-40/Overview.html#func-doc
>       https://qt4cg.org/specifications/xpath-functions-40/Overview.html#func-parse-xml
>    
>    This is also described here:
>
>       https://docs.basex.org/12/Standard_Functions#fn:doc
>       https://docs.basex.org/12/Standard_Functions#fn:parse-xml
>
>    Best regards,
>    Gunther