Menu
I have an android app, in which user can enter any xml source url to parse. My app then parses the xml(if valid) and displays results.
The issue is, if the user enters an untrusted xml source url, the app and/or the device might be effected.
What are the best ways to identify risk and prevent exploit.
With my research I found that enabling FEATURE_SECURE_PROCESSING and disabling expansion might help. But can anyone tell me what it is, and how do I achieve it.
Thanks.
728
After researching, I found this. I hope this would solve my problem.
To enable FEATURE_SECURE_PROCESSING
SAXParserFactory spf = SAXParserFactory.newInstance();
spf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
Disable DTDs
spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
For SAX and DOM parsers, disallowing DTD should be sufficient as dcanh121 noted.
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
For StAX parser:
factory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES, false);
31
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
