From 4e386689674e7285240b687c346dace6fe19c50a Mon Sep 17 00:00:00 2001
From: Repo Assist <repo-assist@github.com>
Date: Mon, 23 Feb 2026 16:11:22 +0000
Subject: [PATCH] Set DtdProcessing.Parse explicitly as the default for XML
 parsing

DtdProcessing.Parse is the default on .NET Core and was the behavior
before the XXE fix that was reverted (#1633). Making this explicit
ensures the intended behavior is clear and documented in code.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 src/FSharp.Data.Xml.Core/XmlRuntime.fs | 21 ++++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)

diff --git a/src/FSharp.Data.Xml.Core/XmlRuntime.fs b/src/FSharp.Data.Xml.Core/XmlRuntime.fs
index 23c76ff7c..fe1005b95 100644
--- a/src/FSharp.Data.Xml.Core/XmlRuntime.fs
+++ b/src/FSharp.Data.Xml.Core/XmlRuntime.fs
@@ -6,6 +6,7 @@ namespace FSharp.Data.Runtime.BaseTypes
 
 open System.ComponentModel
 open System.IO
+open System.Xml
 open System.Xml.Linq
 
 #nowarn "10001"
@@ -56,7 +57,12 @@ type XmlElement =
                                IsError = false)>]
     static member Create(reader: TextReader) =
         use reader = reader
-        let element = XDocument.Load(reader, LoadOptions.PreserveWhitespace).Root
+
+        let settings =
+            XmlReaderSettings(DtdProcessing = DtdProcessing.Parse)
+
+        use xmlReader = XmlReader.Create(reader, settings)
+        let element = XDocument.Load(xmlReader, LoadOptions.PreserveWhitespace).Root
         { XElement = element }
 
     /// <exclude />
@@ -69,12 +75,21 @@ type XmlElement =
         use reader = reader
         let text = reader.ReadToEnd()
 
+        let settings =
+            XmlReaderSettings(DtdProcessing = DtdProcessing.Parse)
+
         try
-            XDocument.Parse(text, LoadOptions.PreserveWhitespace).Root.Elements()
+            use stringReader = new StringReader(text)
+            use xmlReader = XmlReader.Create(stringReader, settings)
+
+            XDocument.Load(xmlReader, LoadOptions.PreserveWhitespace).Root.Elements()
             |> Seq.map (fun value -> { XElement = value })
             |> Seq.toArray
         with _ when text.TrimStart().StartsWith "<" ->
-            XDocument.Parse("<root>" + text + "</root>", LoadOptions.PreserveWhitespace).Root.Elements()
+            use stringReader = new StringReader("<root>" + text + "</root>")
+            use xmlReader = XmlReader.Create(stringReader, settings)
+
+            XDocument.Load(xmlReader, LoadOptions.PreserveWhitespace).Root.Elements()
             |> Seq.map (fun value -> { XElement = value })
             |> Seq.toArray