Expected Findings
- XML parser resolves external entities by default.
- `file://` entities return the contents of local files.
- Returned SVG embeds the leaked content in `<text>` nodes.
SVG Renderer
XXE in SVG
The avatar SVG processor parses external entities, so an uploaded SVG can read local files and surface them in the rendered preview.
Avatar parse
Primary Flows
- Parse endpoint POST SVG/XML, entities resolved
- Renderer config Shows DTD + entity flags on
Signals
Parser
parser.SetFlag("resolve-external-entities", true)