# XML Decoder

> Paste XML and read its structure: the declaration, the DOCTYPE and any entities, the element tree with namespaces and attributes, plus a security check of the XML attack surface. Nothing is fetched or resolved.

- Tool: https://ronutz.com/en/tools/xml-decoder
- Family: Security & WAF

---

## What it does

Paste XML and the tool parses it into a readable structure: the XML declaration, the DOCTYPE and any entities it declares, and the full element tree with its namespaces and attributes, along with CDATA, comments, and processing instructions. It checks that the document is well-formed and runs a security analysis of the XML attack surface. It fetches nothing and resolves nothing.

## What it shows

XML packs several kinds of node into one document, and the tool separates them out: the **declaration** with its version and encoding; the **DOCTYPE** and any **entities** it defines; the **element tree**, with **namespaces** (the `xmlns` bindings) and **attributes** shown per element; and the **CDATA** sections, **comments**, and **processing instructions**. It also checks well-formedness in the XML sense: that every tag is matched and that the document has exactly one root element.

## The XML attack surface

XML is powerful in a way that makes it dangerous when it comes from an untrusted source, and the tool's security analysis flags exactly where that danger lives:

- **A DOCTYPE at all**, because the document type definition is what enables the rest;
- **External entities**, which can pull in a local file or a URL and are the mechanism of XML External Entity (XXE) attacks;
- **Parameter entities**, a form used to smuggle XXE past naive defenses; and
- **Entity expansion**, the nesting behind the billion-laughs denial-of-service attack.

Seeing these called out is the point: it tells you whether a given document is trying to do something a plain data document never would.

## Safe by construction

The tool is a text tokenizer, not an XML processor. It reads the document as text and describes its structure, and it never resolves an entity, never opens an external reference, and never expands anything. That is what lets it analyze hostile XML safely: the very features it warns you about are described, not executed. This is the general-purpose counterpart to the SAML decoder, which refuses a DTD entirely because a SAML message never legitimately has one.

## Using it

Paste an XML document and read its declaration, DOCTYPE and entities, element tree, and the security flags. The parse is deterministic and local, so it is safe to inspect XML from any source.

## Standards and references

- [W3C - Extensible Markup Language (XML) 1.0](https://www.w3.org/TR/xml/)
- [W3C - Namespaces in XML 1.0](https://www.w3.org/TR/xml-names/)
- [OWASP - XML External Entity Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)

## Related reading

- [Billion Laughs and Entity Expansion](https://ronutz.com/en/learn/billion-laughs-and-entity-expansion.md): Entities can reference other entities, and if each one multiplies the last, a tiny document can expand to gigabytes and exhaust memory. The billion laughs attack weaponizes this into a denial of service. The defense is to cap expansion or refuse the DOCTYPE outright.
- [CDATA, Comments, and Processing Instructions](https://ronutz.com/en/learn/cdata-comments-and-processing-instructions.md): Not everything in XML is an element. CDATA sections hold raw text that would otherwise need escaping, comments annotate without affecting content, and processing instructions carry directions for an application. Recognizing these three keeps them from looking like mysterious noise.
- [Reading XML Structure](https://ronutz.com/en/learn/reading-xml-structure.md): XML is a tree of elements built from a handful of parts: an optional declaration, elements with attributes, text, and a few special constructs. Once you can name each part and see how they nest, reading an unfamiliar document top to bottom becomes routine rather than a guessing game.
- [Well-Formed vs Valid XML](https://ronutz.com/en/learn/xml-well-formedness.md): Well-formedness is XML's baseline: one root, properly nested and matched tags, quoted attributes, and escaped specials. Validity is a stronger, separate claim that a document also follows a schema. A parser rejects ill-formed XML outright, which is why these rules come first.
- [XML Namespaces Explained](https://ronutz.com/en/learn/xml-namespaces-explained.md): When two XML vocabularies use the same element name for different things, namespaces keep them apart by binding a prefix to a unique URI. The prefix is just a local shorthand; the URI is the real identity. Understanding that split resolves most namespace confusion.
- [XXE and External Entities](https://ronutz.com/en/learn/xxe-and-external-entities.md): XML lets a document declare entities, and an external entity can point at a file or URL. A parser that resolves one can be tricked into reading local files or making server-side requests, the XXE vulnerability. The fix is blunt and effective: do not process a DOCTYPE at all.
