Checks if XML files are accessed securely. Insecure deserialization results in code execution. Specifically for XML this can result in DoS (Denial of Service) attacks when allowing the use of DOCTYPE declarations. This is well documented here.

Since MATLAB R2019b, you can prevent reading XML files that contain DOCTYPE declarations by setting the 'AllowDoctype' name-value pair of the xmlread function to false. This check will report a violation if the xmlread function is used without setting AllowDocType to false. For more information, see the xmlread reference page.

Since MATLAB R2021a, you can read XML files using the class. By default, the AllowDoctype property of the parser's Configuration property is set to false. Therefore, this check reports a violation if the property is explicitly set to true, and not if the property is not set at all.

Exemption tag: %@ok<SCXML>