Deploy the generated website via GitHub Actions

README.md

@@ -1 +1 @@
-Website last update: 2024-01-18 at 13:49:58.
+Website last update: 2024-01-18 at 19:07:11.

cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html

@@ -2381,6 +2381,13 @@
     <nav class="md-nav" aria-label=".NET">
       <ul class="md-nav__list">
 
+          <li class="md-nav__item">
+  <a href="#aspnet" class="md-nav__link">
+    ASP.NET
+  </a>
+
+</li>
+
           <li class="md-nav__item">
   <a href="#linq-to-xml" class="md-nav__link">
     LINQ to XML
@@ -2908,6 +2915,13 @@
     <nav class="md-nav" aria-label=".NET">
       <ul class="md-nav__list">
 
+          <li class="md-nav__item">
+  <a href="#aspnet" class="md-nav__link">
+    ASP.NET
+  </a>
+
+</li>
+
           <li class="md-nav__item">
   <a href="#linq-to-xml" class="md-nav__link">
     LINQ to XML
@@ -3614,6 +3628,10 @@ <h2 id="net">.NET<a class="headerlink" href="#net" title="Permanent link">&para;
 </tbody>
 </table>
 <p>* For .NET Framework Versions ≥4.5.2, these libraries won't even process the in-line DTD by default. Even if you change the default to allow processing a DTD, if a DoS attempt is performed an exception will still be thrown as documented above.</p>
+<h3 id="aspnet">ASP.NET<a class="headerlink" href="#aspnet" title="Permanent link">&para;</a></h3>
+<p>ASP.NET applications ≥ .NET 4.5.2 must also ensure setting the <code>&lt;httpRuntime targetFramework="..." /&gt;</code> in their <code>Web.config</code> to ≥4.5.2 or risk being vulnerable regardless or the actual .NET version. Omitting this tag will also result in unsafe-by-default behavior.</p>
+<p>For the purpose of understanding the above table, the <code>.NET Framework Version</code> for an ASP.NET applications is either the .NET version the application was build with or the httpRuntime's <code>targetFramework</code> (Web.config), <strong>whichever is lower</strong>.</p>
+<p>This configuration tag should not be confused with a simmilar configuration tag: <code>&lt;compilation targetFramework="..." /&gt;</code> or the assemblies / projects targetFramework, which are <strong>not</strong> sufficient for achieving secure-by-default behaviour as advertised in the above table.</p>
 <h3 id="linq-to-xml">LINQ to XML<a class="headerlink" href="#linq-to-xml" title="Permanent link">&para;</a></h3>
 <p>Both the <code>XElement</code> and <code>XDocument</code> objects in the <code>System.Xml.Linq</code> library are safe from XXE injection from external file and DoS attack by default. <code>XElement</code> parses only the elements within the XML file, so DTDs are ignored altogether. <code>XDocument</code> has XmlResolver <a href="https://docs.microsoft.com/en-us/dotnet/standard/linq/linq-xml-security">disabled by default</a> so it's safe from SSRF. Whilst DTDs are <a href="https://referencesource.microsoft.com/#System.Xml.Linq/System/Xml/Linq/XLinq.cs,71f4626a3d6f9bad">enabled by default</a>, from Framework versions ≥4.5.2, it is <strong>not</strong> vulnerable to DoS as noted but it may be vulnerable in earlier Framework versions. For more information, see <a href="http://msdn.microsoft.com/en-us/magazine/ee335713.aspx">Microsoft's guidance on how to prevent XXE and XML Denial of Service in .NET</a></p>
 <h3 id="xmldictionaryreader">XmlDictionaryReader<a class="headerlink" href="#xmldictionaryreader" title="Permanent link">&para;</a></h3>