2

When using DocumentBuilderFactory in Android, we are required to enforce some security features so that the XMLs can be safely processed. The following are the flags we are trying to set

http://apache.org/xml/features/disallow-doctype-decl
or http://apache.org/xml/features/nonvalidating/load-external-dtd

DocumentBuilderFactory fact = DocumentBuilderFactory.newInstance();
fact.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);

Now when using this android we are getting the exception : ParserConfigurationException

As far as I understood android technically is not supporting it as you can see in the source for Android 9 : http://androidxref.com/9.0.0_r3/xref/libcore/luni/src/main/java/org/apache/harmony/xml/parsers/DocumentBuilderFactoryImpl.java

I have seen multiple queries regarding the same :

  1. documentbuilderfactory-cannot-setfeature-feature-secure-processing
  2. documentbuilderfactory-get-available-features

With all of this context, here are questions ?

  1. What is the recommend solution for enabling secure XML Parsing?
  2. Do we have to resort to a 3rd party solution?
  3. Or are XMLParsers that come by default with Android are already secure with features like external DTD processing disabled?
Edwin Abraham
  • 645
  • 7
  • 24
  • The Android XML Pull Parser and the SAX Parser are both secure. This is because they are both event based, and lexical events (such as DTD, Entities, etc) need to be manually handled. – Eddie Lopez Sep 30 '21 at 20:16

0 Answers0