Menu
How do I parse an XML document securely so that it does not allow external entities as part of an incoming XML document? I am using DOM parser -
Document test = DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(new InputSource(byteArrayInputStream))
386
Java applications using XML libraries are particularly vulnerable to XXE because the default settings for most Java XML parsers is to have XXE enabled. To use these parsers safely, you have to explicitly disable XXE in the parser you use.
To read and update, create and manipulate an XML document, you will need an XML parser. In PHP there are two major types of XML parsers: Tree-Based Parsers. Event-Based Parsers.
You can request secure processing by setting FEATURE_SECURE_PROCESSING; whether this prohibits external entities is up to the provider of the DocumentBuilderFactory, but it's a likely candidate.
DocumentBuilderFactory f = DocumentBuilderFactory.newInstance();
f.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
Document test = f.newDocumentBuilder.parse(...);
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
