From 2320569c05b1df9fce77e51677d4359717328f44 Mon Sep 17 00:00:00 2001
From: "Nain, Sunil" <snain@visa.com>
Date: Mon, 8 Jun 2026 14:26:34 +0530
Subject: [PATCH] GENAI=YES |AISAST-10685-XXE via entity substitution enabled
 by noent flag

---
 lib/authorize_net/xml_response.rb | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/lib/authorize_net/xml_response.rb b/lib/authorize_net/xml_response.rb
index 8a0c97c..3ac7e4a 100644
--- a/lib/authorize_net/xml_response.rb
+++ b/lib/authorize_net/xml_response.rb
@@ -9,8 +9,9 @@ def initialize(raw_response, transaction)
       unless connection_failure?
         begin
           xml = Nokogiri::XML(@raw_response.body) do |config|
-            # confirm noent is the right flag
-            config.recover.noent.nonet
+            # Security: Do NOT use .noent - it enables entity substitution which allows XXE attacks.
+            # Predefined XML entities (&amp;, &lt;, etc.) are decoded by default without .noent.
+            config.recover.nonet
           end
           @root = xml.children[0]
           @result_code = node_content_unless_nil(@root.at_css('messages resultCode'))