x0rIs it me or is there no way to prevent #xmllint from loading external #XML entities in an XML document? I’ve been trying to find a command-line switch to disable that entirely but to no avail. There’s the --nonet option, but it only disables remote XML entity loading and I can still include /etc/passwd in my output.
Does it mean that any program calling the xmllint utility from #libxml2 (e.g. a shell script) is vulnerable to XML external entity injection?