Prevent XmlReader from expanding XML entities

Question

Is there a way to prevent .NET\'s XmlReader class from expanding XML entities into their value when reading the content?

For instance, suppose the follo

Answer 1

XML parsing is dangerous. In some cases it allows to CVEs and Denial-of-Service attacks.

For example CVE-2016-3255

Also it was disscussed on Black Hat EU 2013

The most interested document is MLDTDEntityAttacks that provides Implementations and Recomendations for developers.

Retrieve resources:

]>

 &windowsfile;

DoS:

  
  
  
  
  ]>
&a4;

Back to your question.
As @Evk wrote: By setting EntityHandling you can prevent from expanding all entities except CharEntities.

I dont know solution to prevent expand CharEntity except your own XmlReader implementation.

I think you also want prevent parsing & ' < > "

FYI how and where XmlTextReader parses CharEntity

XmlTextReader
ParseElementContent
& case
ParseText
Char entity case
ParseCharRefInline

This function finally parses numeric character entity reference (e.g. and á)
ParseNumericCharRefInline

This function parses named character entity reference (& ' < > ")
ParseNamedCharRef