Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Parse XML document securely

Tags:

java

How do I parse an XML document securely so that it does not allow external entities as part of an incoming XML document? I am using DOM parser -

Document test = DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(new InputSource(byteArrayInputStream))
like image 386
rickygrimes Avatar asked Mar 11 '14 20:03

rickygrimes

People also ask

How can we secure the parsing of XML?

Java applications using XML libraries are particularly vulnerable to XXE because the default settings for most Java XML parsers is to have XXE enabled. To use these parsers safely, you have to explicitly disable XXE in the parser you use.

What are the two methods of parsing in XML document?

To read and update, create and manipulate an XML document, you will need an XML parser. In PHP there are two major types of XML parsers: Tree-Based Parsers. Event-Based Parsers.

1 Answers

You can request secure processing by setting FEATURE_SECURE_PROCESSING; whether this prohibits external entities is up to the provider of the DocumentBuilderFactory, but it's a likely candidate.

DocumentBuilderFactory f = DocumentBuilderFactory.newInstance();
f.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
Document test = f.newDocumentBuilder.parse(...);
like image 175
erickson Avatar answered Oct 21 '22 23:10

erickson
Sign in to Comment

Related questions

Java: Inheriting class can not be converted to super class in method parameter
How to stop and shutdown an entire hazelcast cluster?
How to extract BDD meta-statements from Spock specification classes
Android Google Maps: Combine scrollBy with zoomBy for simultaneous pan & zoom
AES 256 encryption - Qt equivalent for Java
How to check if a body has almost stopped moving in libgdx + box2d
What is the difference between multiple implementations of ArrayList in the (Java8) source code [duplicate]
Gradle Java debugging project in IntelliJ IDEA
WebSphere MQ call failed with compcode '2' ('MQCC_FAILED') reason '2058' ('MQRC_Q_MGR_NAME_ERROR')
Robocode how to get the enemies co-ordinates
"failed while installing axis2 core 1.1" in eclipse?
Android: Understand resource-id in R.java
Can't compile/run in Eclipse- Java [closed]
Tracking Changes Using History Policy in eclipse link
Looping through all main() arguments
I have 64 bit Java, but no jdk folder in my Program Files\Java folder?
How can my ActionListener for a JButton access variables in another class?
Why can't I pass in java an array of short to method accepting array of int?
HK2 MethodInterceptor with Jersey resource
Tomcat Mapper class not found

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!