Disable external entities resolution in the default XML parser to prevent XXE attacks

Description

The default behavior of Java XML parsers is to happily resolve external XML entities, which exposes any application that processes unsecured XMLs to XXE vulnerabilities.

By default data.xml should initialize the XML parses with disabled XXE processing.

Environment

None

Activity

Show:
Ryan Senior
September 28, 2014, 1:23 PM

Patch looks good, I've applied it. Thanks Carlo

Carlo Sciolla
September 28, 2014, 5:51 PM

Great, thanks!

Completed

Assignee

Ryan Senior

Reporter

Carlo Sciolla

Labels

Approval

None

Patch

Code and Test

Priority

Critical