Context : we are using the Spire.Xls .NET library and want to prevent XML External Entity attacks when loading XLSX files with the Spire.Xls library.
As you may know an XLSX file is actually just an archive containing multiple XML files.
Each XML file poses a security threat if it contains DTD tags pointing to malicious DTD files, as they are loaded and processed.
Those attacks are called XML External Entity (XXE) attacks.
To prevent XXE attacks when loading XML, we need to disable DTD (Document Type Definition) processing.
In C#, this can be done by configuring the XmlReaderSettings or XmlDocument to disallow DTDs.
However the loading of XLSX file uses an internal XmlDocument instance that I cannot modify to disable DTD processing.
Any help would be appreciated !
Thanks