facing Fatal error parsing XML: org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 1; expected Element

Question

I have got an cross site scripting error for my outputStream in the code

public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException,    IOException {

       //get authorization header from request
       String auth= "" + request.getHeader("Authorization");
       String user = "";
       String password = "";
  
       if(request.getHeader("Authorization")!=null){

       if (!auth.toUpperCase(  ).startsWith("BASIC")) {
       throw new ServletException("wrong kind of authorization!");
          }

    try {
     //get encoded username and password
       String userPassEncoded=auth.substring(6);

       //create a base64 decoder using Sun utility class
       //sun.misc.BASE64Decoder dec=new sun.misc.BASE64Decoder(  );
       //Decoder.BASE64Decoder dec=new Decoder.BASE64Decoder();
       Decoder.BASE64Decoder dec=new Decoder.BASE64Decoder();
       String userPassDecoded=new String(dec.decodeBuffer(userPassEncoded));

       //split decoded username and password
       int col = userPassDecoded.indexOf(':');
       user = userPassDecoded.substring(0, col);
       password = userPassDecoded.substring(col + 1);

         } catch (Throwable ignore ) {
      
       ignore.printStackTrace();
     //bury as this is ok not to find them
   }
   }      
   
    //Must call with username & password or AdminHandler will null for those
    byte[] result = xmlrpc.execute (request.getInputStream(), user, password);
    response.setContentType ("text/xml");
    response.setContentLength (result.length);
    OutputStream out = response.getOutputStream();
    out.write (result);
    out.flush ();

so i followed the output encoding process to overcome the cross site scripting issue and encoded the result byte array value like this using OWASP encoder

    byte[] result = xmlrpc.execute(request.getInputStream(), user, password);
    response.setContentType("text/xml; charset=UTF-8");
    String sanitizedResult = Encode.forXml(new String(result, StandardCharsets.UTF_8));   
    response.setContentLength(sanitizedResult.length());
    OutputStream out = response.getOutputStream();
    out.write(sanitizedResult.getBytes(StandardCharsets.UTF_8));
    out.flush();

my encoded XML value is this, Note:-the parser is able to read the XML before it is only not able to read after encoding.

<?xml version="1.0" encoding="ISO-8859-1"?><methodResponse><params><param><value><struct><member><name>msg</name><value>T0s=</value></member></struct></value></param></params></methodResponse> 

Answer 1

Check for these problems:

1. If there are characters before the XML declaration (<?xml version="1.0" encoding="ISO-8859-1"?>), delete them.

2. If you're parsing a non-XML file, change to parsing an actual XML file.

3. If you're passing the filename to a call that expects a string of XML, change to passing a string of XML.

4. If you're receiving Base64-encoded, compressed, or otherwise represented XML, decode/decompress/convert it before parsing.

See also

• Error: The processing instruction target matching "[xX][mM][lL]" is not allowed