Skip to content

Commit

Permalink
Document doesn't use dangerous Nokogiri config
Browse files Browse the repository at this point in the history
  • Loading branch information
@david-a-wheeler
david-a-wheeler authored Jan 26, 2018
1 parent 00c90e5 commit c47d8ff
Showing 1 changed file with 10 additions and 0 deletions.
10 changes: 10 additions & 0 deletions README.rdoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -257,6 +257,16 @@ And the mailing list is on librelist:

And the IRC channel is \#loofah on freenode.

== Security

Some tools may incorrectly report loofah is a potential security vulnerability.
Loofah depends on Nokogiri, and it's possible to use Nokogiri in a dangerous way
(by enabling its DTDLOAD option and disabling its NONET option).
This dangerous Nokogiri configuration, which is sometimes used by other components,
can create an XML External Entity (XXE) vulnerability if the XML data is not trusted.
However, loofah never enables this dangerous Nokogiri configuration;
loofah never enables DTDLOAD, and it never disables NONET.

== Related Links

* Nokogiri: http://nokogiri.org
Expand Down

0 comments on commit c47d8ff

Please sign in to comment.