CWE-112

Missing XML Validation

AI Translation Available

The product accepts XML from an untrusted source but does not validate the XML against the proper schema.

Status

draft

Abstraction

base

Affected Platforms

Extended Description

AI Translation

Most successful attacks begin with a violation of the programmer's assumptions. By accepting an XML document without validating it against a DTD or XML schema, the programmer leaves a door open for attackers to provide unexpected, unreasonable, or malicious input.

Technical Details

AI Translation

Common Consequences

integrity

Impacts

unexpected state

Detection Methods

automated static analysis

Potential Mitigations

Phases:

architecture and design

Descriptions:

• Always validate XML input against a known XML Schema or DTD. It is not possible for an XML parser to validate all aspects of a document's content because a parser cannot understand the complete semantics of the data. However, a parser can do a complete and thorough job of checking the document's structure and therefore guarantee to the code that processes the document that the content is well-formed.

AI Generated Translation

Common Consequences

integrità

Impacts

stato inaspettato

Detection Methods

analisi statica automatizzata

Potential Mitigations

Phases:

architettura e design

Descriptions:

• Sempre convalidare l'input XML rispetto a uno Schema XML o DTD noto. Non è possibile per un parser XML convalidare tutti gli aspetti del contenuto di un documento perché un parser non può comprendere la semantica completa dei dati. Tuttavia, un parser può eseguire un controllo completo e accurato della struttura del documento e quindi garantire al codice che elabora il documento che il contenuto è ben formato.

CWE-112

Common Consequences

Impacts

Detection Methods

Potential Mitigations

Common Consequences

Impacts

Detection Methods

Potential Mitigations

Iscriviti alla newsletter