From 9312d26da87cfc82594cf66c667a9fc099f8c802 Mon Sep 17 00:00:00 2001
From: soffensive <9149004+soffensive@users.noreply.github.com>
Date: Thu, 5 Feb 2026 10:52:25 +0100
Subject: [PATCH] Make XML/HTML encoding in SOAP requests optional (#6015)

Co-authored-by: soffensive <soffensive>
---
 lib/core/optiondict.py | 1 +
 lib/parse/cmdline.py   | 3 +++
 lib/request/connect.py | 2 +-
 sqlmap.conf            | 4 ++++
 4 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/lib/core/optiondict.py b/lib/core/optiondict.py
index c38e61eef..44b4ca8f5 100644
--- a/lib/core/optiondict.py
+++ b/lib/core/optiondict.py
@@ -63,6 +63,7 @@ optDict = {
         "safeReqFile": "string",
         "safeFreq": "integer",
         "skipUrlEncode": "boolean",
+        "skipXmlEncode": "boolean",
         "csrfToken": "string",
         "csrfUrl": "string",
         "csrfMethod": "string",
diff --git a/lib/parse/cmdline.py b/lib/parse/cmdline.py
index ffba577c2..76cf5dbf7 100644
--- a/lib/parse/cmdline.py
+++ b/lib/parse/cmdline.py
@@ -276,6 +276,9 @@ def cmdLineParser(argv=None):
         request.add_argument("--skip-urlencode", dest="skipUrlEncode", action="store_true",
             help="Skip URL encoding of payload data")
 
+        request.add_argument("--skip-xml-encode", dest="skipXmlEncode", action="store_true",
+            help="Skip HTML encoding of payload data for SOAP/XML")
+
         request.add_argument("--csrf-token", dest="csrfToken",
             help="Parameter used to hold anti-CSRF token")
 
diff --git a/lib/request/connect.py b/lib/request/connect.py
index 934d533fb..4d8024c34 100644
--- a/lib/request/connect.py
+++ b/lib/request/connect.py
@@ -1116,7 +1116,7 @@ class Connect(object):
             logger.log(CUSTOM_LOGGING.PAYLOAD, safecharencode(payload.replace('\\', BOUNDARY_BACKSLASH_MARKER)).replace(BOUNDARY_BACKSLASH_MARKER, '\\'))
 
             if place == PLACE.CUSTOM_POST and kb.postHint:
-                if kb.postHint in (POST_HINT.SOAP, POST_HINT.XML):
+                if kb.postHint in (POST_HINT.SOAP, POST_HINT.XML) and not conf.skipXmlEncode:
                     # payloads in SOAP/XML should have chars > and < replaced
                     # with their HTML encoded counterparts
                     payload = payload.replace("&#", SAFE_HEX_MARKER)
diff --git a/sqlmap.conf b/sqlmap.conf
index 9d0ca92db..c2f8c10e7 100644
--- a/sqlmap.conf
+++ b/sqlmap.conf
@@ -198,6 +198,10 @@ safeFreq = 0
 # Valid: True or False
 skipUrlEncode = False
 
+# Skip HTML encoding of payload data for SOAP/XML.
+# Valid: True or False
+skipXmlEncode = False
+
 # Parameter used to hold anti-CSRF token.
 csrfToken =