4

We read our XML template files using javax.xml.parsers.SAXParserFactory. If there is XXE in the XML file we're reading, is there a way to turn off processing that?

thanks - dave

David Thielen
  • 28,723
  • 34
  • 119
  • 193
  • 2
    https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#JAXP_DocumentBuilderFactory.2C_SAXParserFactory_and_DOM4J – Ivan Aug 15 '18 at 14:50

1 Answers1

3

Yes, it is by default susceptible to XXE attacks.

Consult this cheat sheet for properly configuring the parser:

To summarize, you'll want to configure the relevant vulnerabilities with SAXParserFactory.setFeature(foo, bar) documentation

Skere
  • 383
  • 2
  • 15