From 4cb195a998f157043c3b0a12021418a08c95226b Mon Sep 17 00:00:00 2001
From: 132ikl <132@ikl.sh>
Date: Mon, 17 Mar 2025 09:16:17 -0400
Subject: [PATCH] Disallow DTD by default in `from xml` (#15325)

# Description


Follow-up to #15272, changing default to disallow DTD as discussed.
Especially applicable for the `http get` case.

# User-Facing Changes

Changes behavior introduced in #15272, so release notes need to be
updated to reflect this
---
 crates/nu-command/src/formats/from/xml.rs | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/crates/nu-command/src/formats/from/xml.rs b/crates/nu-command/src/formats/from/xml.rs
index 0c63d97c93..53c00ea0e0 100644
--- a/crates/nu-command/src/formats/from/xml.rs
+++ b/crates/nu-command/src/formats/from/xml.rs
@@ -17,8 +17,8 @@ impl Command for FromXml {
             .input_output_types(vec![(Type::String, Type::record())])
             .switch("keep-comments", "add comment nodes to result", None)
             .switch(
-                "disallow-dtd",
-                "disallow parsing documents with DTDs (prevents exponential entity expansion attacks)",
+                "allow-dtd",
+                "allow parsing documents with DTDs (may result in exponential entity expansion)",
                 None,
             )
             .switch(
@@ -55,7 +55,7 @@ string. This way content of every tag is always a table and is easier to parse"#
         let head = call.head;
         let keep_comments = call.has_flag(engine_state, stack, "keep-comments")?;
         let keep_processing_instructions = call.has_flag(engine_state, stack, "keep-pi")?;
-        let allow_dtd = !call.has_flag(engine_state, stack, "disallow-dtd")?;
+        let allow_dtd = call.has_flag(engine_state, stack, "allow-dtd")?;
         let info = ParsingInfo {
             span: head,
             keep_comments,
@@ -278,7 +278,7 @@ fn process_xml_parse_error(source: String, err: roxmltree::Error, span: Span) ->
             make_xml_error("The root node was opened but never closed.", span)
         }
         roxmltree::Error::DtdDetected => make_xml_error(
-            "XML document with DTD detected.",
+            "XML document with DTD detected.\nDTDs are disabled by default to prevent denial-of-service attacks (use --allow-dtd to parse anyway)",
             span
         ),
         roxmltree::Error::NodesLimitReached => {