0

I am working on a code to avoid XXE attacks. So I was required to use DocumentBuilderFactory and use the setFeature method of the same class to set a .xsd file as the feature.

For example, the .xsd file is stored in the C drive. So I've been using the code as:

    ...
    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
    dbf.setFeature("file:///C:/mapp.xsd", true);
    ...

However, this is giving the ParserConfigurationException with the error: Feature 'file:///C:/mapp.xsd' is not recognized.

I have to work with this local file as it is the client's requirement so any help regarding this would be awesome :)

Thanks.

Tejas Shetty
  • 162
  • 2
  • 9
  • 1
    Does this answer your question? [How to prevent XXE attack](https://stackoverflow.com/q/40649152/5221149) – Andreas May 25 '21 at 07:34
  • 1
    You also should read this: [XML External Entity Prevention Cheat Sheet - Java](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#java). – Andreas May 25 '21 at 07:37
  • @Andreas it doesn't actually. The thing I am stuck on is I am not able to reference a local .xsd file in the DocumentBuilderFactory's setFeature which is currently my requirement :) – Tejas Shetty May 25 '21 at 07:41
  • 1
    Where did you see that a "feature" name is supposed to be the name of an XSD file? All examples of feature names I've seen are fixed "property" names, like `.../disallow-doctype-decl`, `.../external-general-entities`, `.../external-parameter-entities`, `.../load-external-dtd`, where `...` is some URL. – Andreas May 25 '21 at 08:40
  • I think you need `setSchema()` ([ref](https://docs.oracle.com/javase/8/docs/api/javax/xml/parsers/DocumentBuilderFactory.html#setSchema-javax.xml.validation.Schema-)) – Nikos Paraskevopoulos May 25 '21 at 08:47

0 Answers0