documented workspace trust interaction with resolveExternalEntities

Alexander Chen · Alexander Chen · commit de421a5232ff · 2021-07-09T09:33:08.000-04:00
diff --git a/README.md b/README.md
@@ -106,7 +106,7 @@ The following settings are supported:
  * [`xml.validation.namespaces.enabled`](https://github.com/redhat-developer/vscode-xml/blob/master/docs/Validation.md#xmlvalidationsnamespacesenabled): Enable/disable namespaces validation. Default is `always`. Ignored if [`xml.validation.enabled`](https://github.com/redhat-developer/vscode-xml/blob/master/docs/Validation.md) is set to `false`.
  * [`xml.validation.schema.enabled`](https://github.com/redhat-developer/vscode-xml/blob/master/docs/Validation.md#xmlvalidationschemaenabled): Enable/disable schema based validation. Default is `always`. Ignored if [`xml.validation.enabled`](https://github.com/redhat-developer/vscode-xml/blob/master/docs/Validation.md) is set to `false`.
  * [`xml.validation.disallowDocTypeDecl`](https://github.com/redhat-developer/vscode-xml/blob/master/docs/Validation.md#disallow-doc-type-declarations): Enable/disable if a fatal error is thrown if the incoming document contains a DOCTYPE declaration. Default is `false`.
-* [`xml.validation.resolveExternalEntities`](https://github.com/redhat-developer/vscode-xml/blob/master/docs/Validation.md#resolve-external-entities): Enable/disable resolve of external entities. Default is `false`.
+* [`xml.validation.resolveExternalEntities`](https://github.com/redhat-developer/vscode-xml/blob/master/docs/Validation.md#resolve-external-entities): Enable/disable resolve of external entities. Default is `false`. Disabled in untrusted workspace.
 * [`xml.validation.noGrammar`](https://github.com/redhat-developer/vscode-xml/blob/master/docs/Preferences.md#grammar): The message severity when a document has no associated grammar. Defaults to `hint`.
 * [`xml.symbols.enabled`](https://github.com/redhat-developer/vscode-xml/blob/master/docs/Symbols.md#xmlsymbolsenabled): Enable/disable document symbols (Outline). Default is `true`.
 * `xml.symbols.excluded`: Disable document symbols (Outline) for the given file name patterns. Updating file name patterns does not automatically reload the Outline view for the relevant file(s). Each file must either be reopened or changed, in order to trigger an Outline view reload.
diff --git a/docs/Validation.md b/docs/Validation.md
@@ -419,6 +419,8 @@ Demonstration of the different behaviour:
 
 ![When using the default settings, an external entity that has an XML element as its content will not produce a validation error when nested in an element that expects character content. If `xml.validation.resolveExternalEntities` is enabled, then an error will be produced](./images/Validation/ExternalEntityResolvingDemonstration.gif)
 
+In an untrusted workspace, this feature is disabled.
+
 ## xml.validation.namespaces.enabled
 
 The `xml.validation.namespaces.enabled` gives the capability to enable / disable the namespaces (prefix) validation. It can be configured with 3 values:
@@ -486,7 +488,7 @@ Create the XSD `foo.xsd` file (in the same folder as foo.xml) :
 </xs:schema>
 ```
 
-In the XML file, the `BAD_ELEMENT` is higlighted as an error. Update the xsi:schemaLocation with bad namespace hint 
+In the XML file, the `BAD_ELEMENT` is higlighted as an error. Update the xsi:schemaLocation with bad namespace hint
 
 ```xml
 <foo>
@@ -499,7 +501,7 @@ In the XML file, the `BAD_ELEMENT` is higlighted as an error. Update the xsi:sch
 
 In `always` you will have error, in `onValidSchema` you will have none error.
 
-Now, update the xsi:schemaLocation with bad location hint 
+Now, update the xsi:schemaLocation with bad location hint
 
 ```xml
 <foo>
diff --git a/package.json b/package.json
@@ -411,7 +411,7 @@
         "xml.validation.resolveExternalEntities": {
           "type": "boolean",
           "default": false,
-          "markdownDescription": "Enable/disable resolve of external entities. Default is `false`. See [here](command:xml.open.docs?%5B%7B%22page%22%3A%22Validation%22%2C%22section%22%3A%22resolve-external-entities%22%7D%5D) for more information.",
+          "markdownDescription": "Enable/disable resolve of external entities. Default is `false`. See [here](command:xml.open.docs?%5B%7B%22page%22%3A%22Validation%22%2C%22section%22%3A%22resolve-external-entities%22%7D%5D) for more information. Disabled for untrusted workspaces",
           "scope": "window"
         },
         "xml.validation.noGrammar": {
