Hi Gregor, > Moritz, I'm not completely sure I understand which changes to the > docs you imagined, but I've added the following now: > > +B<WARNING>: setting expand_external_ents to 0 or -1 currently doesn't work > +as expected; cf. L<https://rt.cpan.org/Public/Bug/Display.html?id=118097>. > +To completelty turn off expanding external entities use C<no_xxe>. > + > +=item no_xxe > + > +If this argument is set to a true value, expanding of external entities is > +turned off. > +
Looks great, that's exactly what i had in mind! > In general, if we go ahead with something like this, I'm not sure if > we should really close this bug; the issue is mitigated by using and > documenting no_xxe but the expand_external_ents option is still buggy. > [0]. I assume it was an oversight for expand_external_ents, but then they didn't want to break existing behaviour and only added no_xxe as a new option. Which (if properly documented) is fine, it's not uncommon that impacting changes are only hidden behind newly introduced flags for a lot of libraries. I think there's both arguments for closing and keeping the bug. Cheers, Moritz