This article discusses a fix that we’ve been working on internally for quite awhile. Since this partially involves my product, I want to clarify a few things. First, the article says that we recommend avoiding DTS when possible — that should be DTDs, not DTS. Also, while it is correct that XSD is much less dangerous than DTDs for this sort of attack, XSD has some issues that people need to be aware of, so shouldn’t be considered an “automatically secure” pass. Specifically, systems should not use untrusted external schemas for validation, since schema imports can be used maliciously to connect to other sites or files. Also, XSD schemas which assess key/keyref will need n^2 resources to compute, so systems need to bound the size of XML validated, and generally be aware of the issues.