Info Call to XML parsing API

Description

Improper XML parsing could lead to several vulnerabilities which could to arbitrary file access (External XML Entities injection, XML injection) or denial of service (Billion laughs, quadratic blowup).

Recommendation

This entry is informative, no recommendations applicable.

Technical details

Method androidx.appcompat.widget.ActivityChooserModel$PersistHistoryAsyncTask.doInBackground() calling method android.util.Xml.newSerializer()

Couldn't retrieve source code

Method org.androidannotations.api.sharedpreferences.SetXmlSerializer.serialize() calling method android.util.Xml.newSerializer()


    public static String serialize(java.util.Set p5)
    {
        if (p5 == null) {
            p5 = java.util.Collections.emptySet();
        }
        java.io.StringWriter v0_1 = new java.io.StringWriter();
        org.xmlpull.v1.XmlSerializer v1 = android.util.Xml.newSerializer();
        try {
            v1.setOutput(v0_1);
            v1.startTag("", "AA_set");
            org.xmlpull.v1.XmlSerializer v5_1 = p5.iterator();
        } catch (IllegalArgumentException) {
            return v0_1.toString();
        }
        while (v5_1.hasNext()) {
            v1.startTag("", "AA_string").text(((String) v5_1.next())).endTag("", "AA_string");
        }
        v1.endTag("", "AA_set").endDocument();
        return v0_1.toString();
    }