I understand that, but it's the default that's important here. If this gets merged, Rails will no longer be automatically parsing XML from parameters by default.
Yes, the gem that's extracted could also be checked over for things like the processing of external entities. I'm not familiar with that part of the code, so I can't tell you what it does or does not do.
Sorry, I read an opinion from your comment immediately upthread, which is that you believe that simply not parsing XML is a reasonable step towards handling XML securely. I disagree with that opinion.
> you believe that simply not parsing XML is a reasonable step towards handling XML securely.
Ahh, this may be the difference, sorry. I don't think that it's a reasonable step towards handling XML securely. I _do_ think it's a step towards not exposing people who don't use XML to attacks on their site via XML-parsing code paths.
One of the worst parts of the recent security... situation was that people who didn't even support YAML or XML for their API were still vulnerable. It's these people this helps, not people who actually do use XML.
I totally agree that this isn't useful to people who are actually using XML, except for my comments about quicker releases and fixes by detaching it from Rails.
Yes, the gem that's extracted could also be checked over for things like the processing of external entities. I'm not familiar with that part of the code, so I can't tell you what it does or does not do.