Dear Infosec people who have looked at XML and XXE before: I am trying to get an understanding of Blind XXE. Many of the descriptions I find are lacking an important detail which makes the attack much less practical. Blind XXE works by building an URL which contains content of a file, allowing to exfiltrate content. However, in all my tests, that *only* works if the file contains no newlines, as those are not allowed in URLs. Am I missing something? 🧵