Project

Profile

Help

Support #2457

closed

Set external-parameter-entities via ProfessionalTransformerFactory.setAttribute to avoid XXE vulnerability

Added by Rampradeep K over 8 years ago. Updated over 8 years ago.

Status:
Closed
Priority:
High
Assignee:
Category:
-
Sprint/Milestone:
-
Start date:
2015-09-21
Due date:
% Done:

0%

Estimated time:
Legacy ID:
Applies to branch:
Fix Committed on Branch:
Fixed in Maintenance Release:
Platforms:

Description

  The external entities are being resolved even after setting parser features (via the below java code) to not to resolve external entities. In the below example, the /tmp/abc is resolved to the actual entities. Is there a sample java code for disabling the external entities to avoid the XXE vulnerability. We are using Saxon-9.6.0.7 PE version.

Java Code:

factory.setAttribute("http://saxon.sf.net/feature/parserFeature?uri=http%3A//xml.org/sax/features/external-parameter-entities=",true);

Xslt:

]>

<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">

<xsl:template match="/">

&inc;

</xsl:template>

</xsl:stylesheet>

Please register to edit this issue

Also available in: Atom PDF