I am trying to determine if a .NET Core application is vulnerable to XML External Entity (XXE) injection attacks. I read this OWASP XXE Prevention Cheat Sheet which tells me, for example, that XmlDocument is unsafe by default in .NET Framework versions prior to 4.5.2. I cannot find any similar documentation for .NET Core versions. I see that .NET Core was released within a few months of .NET Framework 4.6.2. Can I therefore assume that these XML parsers are safe by default in .NET Core?
The XML parsers I tested have the same characteristics in .NET Core 2.1 as they do in .NET Framework 4.5.2 (at least with respect to XXE injection). To respond to the specific example I gave in the question, XmlDocument is unsafe by default in .NET Framework 4.5.1, but safe by default in both .NET Framework 4.5.2 and .NET Core 2.1.
In order to convince myself of this fact, I performed testing for .NET Framework 4.5.1 and 4.5.2, and .NET Core 2.1. My code and results are available on GitHub.