Hello! The following patch series addresses some shortcomings of the XSLT filter module (ngx_http_xslt_module), notably:
- Attempts to load external entities over network are now rejected. These anyway won't work with libxml2 2.13.0 or later, but with older versions of the library attempts to load external entities over network might block the entire worker process for a long time, and therefore shouldn't be used. - Loading of external entities from the internal DTD subset (that is, the XML document itself) via system identifiers are now forbidden by default, making it slightly safer to use the module with untrusted XML documents. Loading via public identifiers (with appropriate system XML catalogs) and from the external DTD subset (provided with the "xml_entities" directive) still works as usual. If loading of external entities from the internal DTD subset via system identifiers is intentional, the "xml_external_entities" directive can be used to re-enable loading of such entities. Review and testing appreciated. -- Maxim Dounin
