User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Build ID: 20170303012758 Steps to reproduce: Product affected : FF 52.0 User Agent : Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 OS : Linux 4.4.0-64-generic Actual results: Steps to Reproduce : 1. Open index.html Trying using Mozilla. It's a Denial of Service attack so not marking it has a security Bug.

Peter or Henri, do you think there's anything we can/should do here to mitigate things?

This is a slight variation of https://en.wikipedia.org/wiki/Billion_laughs_attack . I'm a bit surprised that we don't already mitigate this. The easiest fix would be to be non-conforming and not support internal entity declarations from non-chrome URLs. But I'm sure there has to be some content out there that uses internal entity declarations in small amounts just because it's supposed to work (see. "Why Specs Matter"). CCing annevk for an opinion on how non-conforming we should dare to be. I'm going to look at the expat source next to see about mitigation opportuntities.

Looks like the person who appears to be the maintainer of expat has been seeking funding for by-default protection against billion laughs as recently as August this year: https://www.xml.com/news/2017-08-expat-224-released/