documented workspace trust interaction with resolveExternalEntities (#546)

Alexander Xu Chen · web-flow · commit 475372e01f38 · 2021-07-09T09:49:59.000-04:00
diff --git a/README.md b/README.md
@@ -106,7 +106,7 @@ The following settings are supported:
  * [`xml.validation.namespaces.enabled`](https://github.com/redhat-developer/vscode-xml/blob/master/docs/Validation.md#xmlvalidationsnamespacesenabled): Enable/disable namespaces validation. Default is `always`. Ignored if [`xml.validation.enabled`](https://github.com/redhat-developer/vscode-xml/blob/master/docs/Validation.md) is set to `false`.
  * [`xml.validation.schema.enabled`](https://github.com/redhat-developer/vscode-xml/blob/master/docs/Validation.md#xmlvalidationschemaenabled): Enable/disable schema based validation. Default is `always`. Ignored if [`xml.validation.enabled`](https://github.com/redhat-developer/vscode-xml/blob/master/docs/Validation.md) is set to `false`.
  * [`xml.validation.disallowDocTypeDecl`](https://github.com/redhat-developer/vscode-xml/blob/master/docs/Validation.md#disallow-doc-type-declarations): Enable/disable if a fatal error is thrown if the incoming document contains a DOCTYPE declaration. Default is `false`.
-* [`xml.validation.resolveExternalEntities`](https://github.com/redhat-developer/vscode-xml/blob/master/docs/Validation.md#resolve-external-entities): Enable/disable resolve of external entities. Default is `false`.
+* [`xml.validation.resolveExternalEntities`](https://github.com/redhat-developer/vscode-xml/blob/master/docs/Validation.md#resolve-external-entities): Enable/disable resolve of external entities. Default is `false`. Disabled in untrusted workspace.
 * [`xml.validation.noGrammar`](https://github.com/redhat-developer/vscode-xml/blob/master/docs/Preferences.md#grammar): The message severity when a document has no associated grammar. Defaults to `hint`.
 * [`xml.symbols.enabled`](https://github.com/redhat-developer/vscode-xml/blob/master/docs/Symbols.md#xmlsymbolsenabled): Enable/disable document symbols (Outline). Default is `true`.
 * `xml.symbols.excluded`: Disable document symbols (Outline) for the given file name patterns. Updating file name patterns does not automatically reload the Outline view for the relevant file(s). Each file must either be reopened or changed, in order to trigger an Outline view reload.
diff --git a/docs/Validation.md b/docs/Validation.md
@@ -415,6 +415,8 @@ Here are some examples of files with `xml.validation.disallowDocTypeDeclaration`
 
 If `xml.validation.resolveExternalEntities` is set to `true` (default is `false`), then the value of [external entities](https://www.w3schools.com/xml/xml_dtd_entities.asp) are resolved for validation. This means that the file referenced in the external entity declaration will be downloaded. The default is `false` due to [the xml external entity attack](https://en.wikipedia.org/wiki/XML_external_entity_attack).
 
+In an untrusted workspace, this feature is disabled.
+
 Demonstration of the different behaviour:
 
 ![When using the default settings, an external entity that has an XML element as its content will not produce a validation error when nested in an element that expects character content. If `xml.validation.resolveExternalEntities` is enabled, then an error will be produced](./images/Validation/ExternalEntityResolvingDemonstration.gif)
@@ -486,7 +488,7 @@ Create the XSD `foo.xsd` file (in the same folder as foo.xml) :
 </xs:schema>
 ```
 
-In the XML file, the `BAD_ELEMENT` is higlighted as an error. Update the xsi:schemaLocation with bad namespace hint 
+In the XML file, the `BAD_ELEMENT` is higlighted as an error. Update the xsi:schemaLocation with bad namespace hint
 
 ```xml
 <foo>
@@ -499,7 +501,7 @@ In the XML file, the `BAD_ELEMENT` is higlighted as an error. Update the xsi:sch
 
 In `always` you will have error, in `onValidSchema` you will have none error.
 
-Now, update the xsi:schemaLocation with bad location hint 
+Now, update the xsi:schemaLocation with bad location hint
 
 ```xml
 <foo>
diff --git a/package.json b/package.json
@@ -411,7 +411,7 @@
         "xml.validation.resolveExternalEntities": {
           "type": "boolean",
           "default": false,
-          "markdownDescription": "Enable/disable resolve of external entities. Default is `false`. See [here](command:xml.open.docs?%5B%7B%22page%22%3A%22Validation%22%2C%22section%22%3A%22resolve-external-entities%22%7D%5D) for more information.",
+          "markdownDescription": "Enable/disable resolve of external entities. Default is `false`. See [here](command:xml.open.docs?%5B%7B%22page%22%3A%22Validation%22%2C%22section%22%3A%22resolve-external-entities%22%7D%5D) for more information. Disabled for untrusted workspaces",
           "scope": "window"
         },
         "xml.validation.noGrammar": {
