Merge pull request BlogEngine#206 from irbishop/CVE-2019-10718

Patch to prevent XXE on pingback.axd and metaweblog.axd

Author: rxtur

BlogEngine/BlogEngine.Core/API/MetaWeblog/XMLRPCRequest.cs

@@ -327,7 +327,7 @@ private static MWAPost GetPost(XmlNode node)
         /// </param>
         private void LoadXmlRequest(string xml)
         {
-            var request = new XmlDocument();
+            var request = new XmlDocument() { XmlResolver = null };
             try
             {
                 if (!(xml.StartsWith("<?xml") || xml.StartsWith("<method")))
@@ -505,4 +505,4 @@ private static string ParseRequest(HttpContext context)
 
         #endregion
     }
-}
+}

BlogEngine/BlogEngine.Core/Web/HttpHandlers/PingbackHandler.cs

@@ -337,7 +337,7 @@ private static XmlDocument RetrieveXmlDocument(HttpContext context)
                 context.Response.End();
             }
 
-            var doc = new XmlDocument();
+            var doc = new XmlDocument() { XmlResolver = null };
             doc.LoadXml(xml);
             return doc;
         }
@@ -432,4 +432,4 @@ private void ExamineSourcePage(string sourceUrl, string targetUrl)
 
         #endregion
     }
-}
+}