I'm working on making sure some code isn't vulnerable to XXE attacks. For stuff being compiled and run on Java 7 and Java 8 I've had success with OWASP's recommendations -- see the Java section of https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing
Here's the relevant snippet, trimmed down:
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
String FEATURE = "http://apache.org/xml/features/disallow-doctype-decl";
dbf.setFeature(FEATURE, true);
FEATURE = "http://xml.org/sax/features/external-general-entities";
dbf.setFeature(FEATURE, false);
FEATURE = "http://xml.org/sax/features/external-parameter-entities";
dbf.setFeature(FEATURE, false);
dbf.setXIncludeAware(false);
dbf.setExpandEntityReferences(false);
However, there's also (sigh) a Java 1.4 version of the code in question that needs to be fixed. But in Java 1.4 the DocumentBuilderFactory class does not have a setFeature() method, so this approach would appear to be inapplicable.
I have spent some time searching, but there's not much left out there on Java 1.4/JAXP 1.1 processing and even when things are found, links within the documents are often dead. So far I haven't managed to find how to disable XXE in Java 1.4 and so am asking here.
