Trying to use <!ENTITY in ANDROID resources with error: "The entity was referenced, but not declared."

Question

I'm following this solution to use enetities in my string resource file:

Is it possible to do string substitution in Android resource XML files directly?

I'm using an external file in the resource tree: /res/raw/entities.dtd, its content:

<!ENTITY ent_devicename "MyDeviceName">

In the string.xml resource file:

<!DOCTYPE resources [
    <!ENTITY % ent_devicename SYSTEM "../raw/entities.dtd">
    %ent_devicename;
]>

<resources>
    <string name="name">The name is &ent_devicename;</string>
</resources>

but I get this error:

The entity "ent_devicename" was referenced, but not declared.

As you can see Android Studio recognizes the external entity file:

and the entity:

Can someone provide full a correct example to make things work? I mean a full compilable Android Studio project, with entities declarations in a separated file.

UPDATE Ok, if you pay more attention to this w3schools link:

https://www.w3schools.com/xml/xml_dtd_entities.asp

you see the solution:

the external entities.dtd files contains

<!ENTITY ent_devicename "MyDeviceName">

then the new string resource resource:

<?xml version="1.0" encoding="utf-8"?>

    <!DOCTYPE resources [
        <!ENTITY ent_devicename SYSTEM "../raw/entities.dtd">
        ]>

<resources xmlns:tools="http://schemas.android.com/tools" tools:ignore="Typos">
    <string name="ent_devicenamxxe2">&ent_devicename;</string>

I changed <!ENTITY % ent_devicename to <!ENTITY ent_devicename (no more %) I deleted %ent_devicename;

Now it compiles but the resulting APK seems to ignore the entity values (uses an empty string). So the problem is not resolved!

Let me know!

Answer 1

TL;DR This feature has been removed from Android Studio. See the bug report here.

It looks like XML External Entities were supported at one time in Android Studio. It also looks to me like Android Studio currently should be supporting external entities since the editor doesn't complain. The underlying processing of the XML doesn't actually do the inclusion as expected giving the "referenced but not declared" error.

Although I have not found an explicit reference to Android Studio abandoning external entities, it would make sense due to a vulnerability that was uncovered. See Android Developers Susceptible to Data Exposure from XXE Attack and the security write-up.

It is also possible that access to external entities are now gated somehow, but I think that Android Studio would be more helpful if that is the case. It is more likely that the functionality was just removed due to the vulnerability.

By the way, I have experimented with the other answers and I have had no luck - just the same error.

Edit:

I just came across a Medium post that discusses JetBrains addressing the XXE vulnerability.

Second edit

I found a reference for the disablement on the bug tracker.

this may have been disabled for security reason, it requires complete analysis before resolution, punting to 3.2

and

This was indeed disabled for security reasons (preventing XXE attacks) in Change-Id: I2f1978bc5458ba2b2b2d6ffbc9df5710c487a4e4.

It's status is "won't fix-intended behavior." It would have been nice if Studio had been changed to emit an error message that the facility was disabled for security reasons.