[PATCH 1 of 2] Xslt: disabled loading of external entities over network

[Maxim Dounin]

# HG changeset patch
# User Maxim Dounin <mdounin at mdounin.ru>
# Date 1762216128 -10800
#      Tue Nov 04 03:28:48 2025 +0300
# Node ID 11dfa80270f8358caaaca66363f4f8a3446b43b5
# Parent  6c1b100b965a34be2bc16d67341f7fddf1f38fd2
Xslt: disabled loading of external entities over network.

Loading of external entities, including ones defined with the xml_entities
directive, happens while parsing the XML response, and therefore loading
over network can block the entire worker process for a long time.  Loading
of external DTD subset is disabled for the very same reason since initial
version of the module.

Further, loading over network is anyway not available by default since
libxml2 2.13.0 (Jun 12 2024) and completely removed in libxml2 2.15.0
(Sep 15 2025).

As such, the XML_PARSE_NONET parsing option (available since libxml2 2.6.2
from 2003) is now used to prevent loading of external entities over
network.

diff --git a/src/http/modules/ngx_http_xslt_filter_module.c b/src/http/modules/ngx_http_xslt_filter_module.c
--- a/src/http/modules/ngx_http_xslt_filter_module.c
+++ b/src/http/modules/ngx_http_xslt_filter_module.c
@@ -382,7 +382,7 @@ ngx_http_xslt_add_chunk(ngx_http_request
             return NGX_ERROR;
         }
         xmlCtxtUseOptions(ctxt, XML_PARSE_NOENT|XML_PARSE_DTDLOAD
-                                               |XML_PARSE_NOWARNING);
+                                |XML_PARSE_NONET|XML_PARSE_NOWARNING);
 
         ctxt->sax->externalSubset = ngx_http_xslt_sax_external_subset;
         ctxt->sax->setDocumentLocator = NULL;