rspec/rules/S2755/csharp/how-to-fix-it/dot-net.adoc

== How to fix it in .NET

=== Code examples

include::../../common/fix/code-rationale.adoc[]

==== Noncompliant code example

[source,csharp,diff-id=1,diff-type=noncompliant]
----
using System.Xml;

public static void decode()
{
    XmlDocument parser = new XmlDocument();
    parser.XmlResolver = new XmlUrlResolver(); // Noncompliant
    parser.LoadXml("xxe.xml");
}
----

==== Compliant solution

`XmlDocument` is safe by default since .NET Framework 4.5.2. For older versions,
set `XmlResolver` explicitly to `null`.

[source,csharp,diff-id=1,diff-type=compliant]
----
using System.Xml;

public static void decode()
{
    XmlDocument parser = new XmlDocument();
    parser.XmlResolver = null;
    parser.LoadXml("xxe.xml");
}
----

=== How does this work?

include::../../common/fix/xxe.adoc[]
Modify rule S2755: LaYC format (#2245) 2023-06-22 11:25:00 +02:00			`== How to fix it in .NET`

			`=== Code examples`

			`include::../../common/fix/code-rationale.adoc[]`

			`==== Noncompliant code example`

			`[source,csharp,diff-id=1,diff-type=noncompliant]`
			`----`
			`using System.Xml;`

			`public static void decode()`
			`{`
			`XmlDocument parser = new XmlDocument();`
			`parser.XmlResolver = new XmlUrlResolver(); // Noncompliant`
			`parser.LoadXml("xxe.xml");`
			`}`
			`----`

			`==== Compliant solution`

			`XmlDocument` is safe by default since .NET Framework 4.5.2. For older versions,
			set `XmlResolver` explicitly to `null`.

			`[source,csharp,diff-id=1,diff-type=compliant]`
			`----`
			`using System.Xml;`

			`public static void decode()`
			`{`
			`XmlDocument parser = new XmlDocument();`
			`parser.XmlResolver = null;`
			`parser.LoadXml("xxe.xml");`
			`}`
			`----`

			`=== How does this work?`

			`include::../../common/fix/xxe.adoc[]`