Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Secure SAXParserFactory that prevents XXE
import javax.xml.parsers.ParserConfigurationException; // catching unsupported features
import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
import org.xml.sax.SAXNotRecognizedException; // catching unknown features
import org.xml.sax.SAXNotSupportedException; // catching known but unsupported features
import org.xml.sax.XMLReader;
...
SAXParserFactory spf = SAXParserFactory.newInstance();
SAXParser saxParser = spf.newSAXParser();
XMLReader reader = saxParser.getXMLReader();
try {
// Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-general-entities
// Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-general-entities
// Using the SAXParserFactory's setFeature
spf.setFeature("http://xml.org/sax/features/external-general-entities", false);
// Using the XMLReader's setFeature
reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
// Xerces 2 only - http://xerces.apache.org/xerces-j/features.html#external-general-entities
spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
// remaining parser logic
...
} catch (ParserConfigurationException e) {
// Tried an unsupported feature.
} catch (SAXNotRecognizedException e) {
// Tried an unknown feature.
} catch (SAXNotSupportedException e) {
// Tried a feature known to the parser but unsupported.
} catch ... {
}
...
@JohnsonTay

This comment has been minimized.

Copy link

@JohnsonTay JohnsonTay commented Jul 5, 2018

Got it,it's useful for me!

@AlainODea

This comment has been minimized.

Copy link

@AlainODea AlainODea commented Jan 30, 2019

If you came here from https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#JAXP_DocumentBuilderFactory.2C_SAXParserFactory_and_DOM4J and are wondering about DocumentBuilderFactory, I have a Gist for that.

DocumentBuilderFactory that mitigates XXE using OWASP guidance:
https://gist.github.com/AlainODea/1779a7c6a26a5c135280bc9b3b71868f

@goetzseb

This comment has been minimized.

Copy link

@goetzseb goetzseb commented Aug 7, 2020

Do I have to configure the parser and reader instance seperately or do they get configured if the instances are created after the factory is configured?

@asudhak

This comment has been minimized.

Copy link

@asudhak asudhak commented Aug 31, 2020

The configuration is only for the factory. You don't need any additional configuration steps.

@Sohaibgit

This comment has been minimized.

Copy link

@Sohaibgit Sohaibgit commented Sep 28, 2020

Hi,
Where should I place this class so that it works?
I want to prevent XXE in my java SOAP project

@asudhak

This comment has been minimized.

Copy link

@asudhak asudhak commented Sep 29, 2020

Hi @Sohaibgit - You may not be able to use this 'as-is'. Take a look at your code in the class where the SaxParserFactory is instantiated, and ensure that you're setting the features to ensure it is not susceptible to XXE

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.