rspec/rules/S2755/csharp/how-to-fix-it/dot-net.adoc

== How to fix it in .NET

=== Code examples

include::../../common/fix/code-rationale.adoc[]

==== Noncompliant code example

[source,csharp,diff-id=1,diff-type=noncompliant]
----
using System.Xml;

public static void decode()
{
    XmlDocument parser = new XmlDocument();
    parser.XmlResolver = new XmlUrlResolver(); // Noncompliant
    parser.LoadXml("xxe.xml");
}
----

==== Compliant solution

`XmlDocument` is safe by default since .NET Framework 4.5.2. For older versions,
set `XmlResolver` explicitly to `null`.

[source,csharp,diff-id=1,diff-type=compliant]
----
using System.Xml;

public static void decode()
{
    XmlDocument parser = new XmlDocument();
    parser.XmlResolver = null;
    parser.LoadXml("xxe.xml");
}
----

=== How does this work?

include::../../common/fix/xxe.adoc[]