checkSecurityXml
Checks if XML files are accessed securely. Insecure deserialization results in code execution. Specifically for XML this can result in DoS (Denial of Service) attacks when allowing the use of DOCTYPE declarations. This is well documented here.
Since MATLAB R2019b, you can prevent reading XML files that contain
DOCTYPE declarations by setting the 'AllowDoctype' name-value pair of
the xmlread function to false. This check will report a violation if
the xmlread function is used without setting AllowDocType to
false. For more information, see the xmlread reference page.
Since MATLAB R2021a, you can read XML files using the
matlab.io.xml.dom.Parser class. By default, the AllowDoctype
property of the parser's Configuration property is set to false.
Therefore, this check reports a violation if the property is explicitly
set to true, and not if the property is not set at all.
Exemption tag: %@ok<SCXML>