Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Secure SAXParserFactory that prevents XXE
import javax.xml.parsers.ParserConfigurationException; // catching unsupported features
import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
import org.xml.sax.SAXNotRecognizedException; // catching unknown features
import org.xml.sax.SAXNotSupportedException; // catching known but unsupported features
import org.xml.sax.XMLReader;
...
SAXParserFactory spf = SAXParserFactory.newInstance();
SAXParser saxParser = spf.newSAXParser();
XMLReader reader = saxParser.getXMLReader();
try {
// Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-general-entities
// Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-general-entities
// Using the SAXParserFactory's setFeature
spf.setFeature("http://xml.org/sax/features/external-general-entities", false);
// Using the XMLReader's setFeature
reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
// Xerces 2 only - http://xerces.apache.org/xerces-j/features.html#external-general-entities
spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
// remaining parser logic
...
} catch (ParserConfigurationException e) {
// Tried an unsupported feature.
} catch (SAXNotRecognizedException e) {
// Tried an unknown feature.
} catch (SAXNotSupportedException e) {
// Tried a feature known to the parser but unsupported.
} catch ... {
}
...
@JohnsonTay

This comment has been minimized.

Copy link

JohnsonTay commented Jul 5, 2018

Got it,it's useful for me!

@AlainODea

This comment has been minimized.

Copy link

AlainODea commented Jan 30, 2019

If you came here from https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#JAXP_DocumentBuilderFactory.2C_SAXParserFactory_and_DOM4J and are wondering about DocumentBuilderFactory, I have a Gist for that.

DocumentBuilderFactory that mitigates XXE using OWASP guidance:
https://gist.github.com/AlainODea/1779a7c6a26a5c135280bc9b3b71868f

@goetzseb

This comment has been minimized.

Copy link

goetzseb commented Aug 7, 2020

Do I have to configure the parser and reader instance seperately or do they get configured if the instances are created after the factory is configured?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.