From a700e87887cac7e20e9f0c9b280a63038a05700e Mon Sep 17 00:00:00 2001
From: Martin <laz.git@mfriebe.de>
Date: Fri, 24 Mar 2023 10:12:02 +0100
Subject: [PATCH] LazUtils: TXmlReader , only allow reading #0 if
 xrfAllowSpecialCharsInAttributeValue is set. Don't allow with just XML11.

---
 components/lazutils/laz2_xmlread.pas | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/components/lazutils/laz2_xmlread.pas b/components/lazutils/laz2_xmlread.pas
index f55e52275a..1331eeeb2b 100644
--- a/components/lazutils/laz2_xmlread.pas
+++ b/components/lazutils/laz2_xmlread.pas
@@ -1904,7 +1904,12 @@ begin
     until Value > $10FFFF;
 
     case Value of
-      $00..$08, $0B..$0C, $0E..$1F:
+      $00:
+        if (xrfAllowSpecialCharsInAttributeValue in FFlags) then
+          BufAppend(ToFill, DOMChar(Value))
+        else
+          FatalError('Invalid character reference');
+      $01..$08, $0B..$0C, $0E..$1F:
         if FXML11 or (xrfAllowSpecialCharsInAttributeValue in FFlags) then
           BufAppend(ToFill, DOMChar(Value))
         else