Set external-parameter-entities via ProfessionalTransformerFactory.setAttribute to avoid XXE vulnerability
The external entities are being resolved even after setting parser features (via the below java code) to not to resolve external entities. In the below example, the /tmp/abc is resolved to the actual entities. Is there a sample java code for disabling the external entities to avoid the XXE vulnerability. We are using Saxon-220.127.116.11 PE version.
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
Updated by Mariusz B about 8 years ago
According to http://www.saxonica.com/html/documentation/javadoc/net/sf/saxon/lib/FeatureKeys.html#XML_PARSER_FEATURE and http://docstore.mik.ua/orelly/xml/xmlnut/ch25_03.htm you should set value to false in following way:
Hope that helps.
Updated by Michael Kay about 8 years ago
Firstly, I think the parser property you want to set is external-general-entities, not external-parameter-entities.
Secondly, the Saxon documentation is a little bit misleading. The property name that you pass to factory.setAttribute() should not contain the final "=" sign. But the colon should (I think) be escaped as %3A.
Finally, setting this property only affects settings on an XML parser that Saxon creates. It has no effect if your application creates the XML parser (that is, if the input is supplied to Saxon as a SAXSource object).
Updated by Rampradeep K about 8 years ago
Thanks Michael and Maurisz. We are not using the xml parser that Saxon creates. The question is how to instruct the SaxonTransformerFactory.newTemplates(Source source) to not to resolve any external entities? The stylesheet is passed as a StreamSource to the newTemplates method.
Please register to edit this issue