Skip to content

Instantly share code, notes, and snippets.

@asudhak

asudhak/SecureXMLParser.java

Created March 10, 2015 19:37
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save asudhak/48adbb11b6a499847c06 to your computer and use it in GitHub Desktop.
Save asudhak/48adbb11b6a499847c06 to your computer and use it in GitHub Desktop.
Download ZIP
Secure SAXParserFactory that prevents XXE
Raw
SecureXMLParser.java
import javax.xml.parsers.ParserConfigurationException; // catching unsupported features
import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
import org.xml.sax.SAXNotRecognizedException; // catching unknown features
import org.xml.sax.SAXNotSupportedException; // catching known but unsupported features
import org.xml.sax.XMLReader;
...
SAXParserFactory spf = SAXParserFactory.newInstance();
SAXParser saxParser = spf.newSAXParser();
XMLReader reader = saxParser.getXMLReader();
try {
// Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-general-entities
// Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-general-entities
// Using the SAXParserFactory's setFeature
spf.setFeature("http://xml.org/sax/features/external-general-entities", false);
// Using the XMLReader's setFeature
reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
// Xerces 2 only - http://xerces.apache.org/xerces-j/features.html#external-general-entities
spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
// remaining parser logic
...
} catch (ParserConfigurationException e) {
// Tried an unsupported feature.
} catch (SAXNotRecognizedException e) {
// Tried an unknown feature.
} catch (SAXNotSupportedException e) {
// Tried a feature known to the parser but unsupported.
} catch ... {
}
...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment