| Version | Supported |
|---|---|
| 1.2.x | β |
| < 1.2 | β |
If you discover a security vulnerability, please DO NOT create a public issue.
Instead, use GitHub Security Advisories (Private Vulnerability Reporting):
π https://github.com/ksef4dev/ksef-fop/security/advisories/new
This allows us to:
- investigate the issue confidentially
- prepare and test a fix
- coordinate responsible disclosure
If necessary, a CVE identifier will be assigned.
The library processes two types of XML input:
- XSLT stylesheets β trusted (trusted, bundled with the library or provided by the developer)
- E-invoices / UPO documents β untrusted (provided by the caller)
All user-supplied XML must be considered untrusted.
Starting from version 1.2.18, the XML parser is configured in a secure mode:
- external entity resolution is disabled
- DOCTYPE declarations are rejected
This mitigates common XML-based attacks such as:
- XXE (XML External Entity)
- SSRF via XML entities
- entity expansion attacks (e.g. "billion laughs")
Even with secure defaults, applications using this library should:
- treat all XML input as untrusted
- validate input where appropriate (schema validation, size limits)
- avoid passing untrusted data directly from external sources without verification
We aim to:
- acknowledge reports within 3β5 working days
- provide a fix or mitigation within a reasonable timeframe
- publish a security advisory after a fix is available
Security fixes will be released as part of a patch version update.