# XML External Entity (XXE) Injection

- ID: go-xxe
- Severity: HIGH
- CWE: XXE (CWE-611)
- Languages: Go

## Description

User-controlled XML parsed without disabling external entities.

## Detection Message

Untrusted XML input from {source} is parsed at {sink}.
If external entity processing is enabled, this can lead to XXE attacks.

## Remediation

Go's encoding/xml is safe by default. Reject XML with DOCTYPE declarations.

```go
if bytes.Contains(body, []byte("<!DOCTYPE")) {
    return errors.New("DOCTYPE not allowed")
}
var data MyStruct
xml.Unmarshal(body, &data)
```

Learn more: https://shoulder.dev/learn/go/cwe-611/xxe

## Documentation

[object Object]

## Related Rules

- **XML External Entity (XXE) Injection** [HIGH]: 
- **XML External Entity (XXE) Injection** [HIGH]: