Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Secure SAXParserFactory that prevents XXE
import javax.xml.parsers.ParserConfigurationException; // catching unsupported features
import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
import org.xml.sax.SAXNotRecognizedException; // catching unknown features
import org.xml.sax.SAXNotSupportedException; // catching known but unsupported features
import org.xml.sax.XMLReader;
...
SAXParserFactory spf = SAXParserFactory.newInstance();
SAXParser saxParser = spf.newSAXParser();
XMLReader reader = saxParser.getXMLReader();
try {
// Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-general-entities
// Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-general-entities
// Using the SAXParserFactory's setFeature
spf.setFeature("http://xml.org/sax/features/external-general-entities", false);
// Using the XMLReader's setFeature
reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
// Xerces 2 only - http://xerces.apache.org/xerces-j/features.html#external-general-entities
spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
// remaining parser logic
...
} catch (ParserConfigurationException e) {
// Tried an unsupported feature.
} catch (SAXNotRecognizedException e) {
// Tried an unknown feature.
} catch (SAXNotSupportedException e) {
// Tried a feature known to the parser but unsupported.
} catch ... {
}
...
@JohnsonTay

This comment has been minimized.

Copy link

@JohnsonTay JohnsonTay commented Jul 5, 2018

Got it,it's useful for me!

@AlainODea

This comment has been minimized.

Copy link

@AlainODea AlainODea commented Jan 30, 2019

If you came here from https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#JAXP_DocumentBuilderFactory.2C_SAXParserFactory_and_DOM4J and are wondering about DocumentBuilderFactory, I have a Gist for that.

DocumentBuilderFactory that mitigates XXE using OWASP guidance:
https://gist.github.com/AlainODea/1779a7c6a26a5c135280bc9b3b71868f

@goetzseb

This comment has been minimized.

Copy link

@goetzseb goetzseb commented Aug 7, 2020

Do I have to configure the parser and reader instance seperately or do they get configured if the instances are created after the factory is configured?

@asudhak

This comment has been minimized.

Copy link

@asudhak asudhak commented Aug 31, 2020

The configuration is only for the factory. You don't need any additional configuration steps.

@Sohaibgit

This comment has been minimized.

Copy link

@Sohaibgit Sohaibgit commented Sep 28, 2020

Hi,
Where should I place this class so that it works?
I want to prevent XXE in my java SOAP project

@asudhak

This comment has been minimized.

Copy link

@asudhak asudhak commented Sep 29, 2020

Hi @Sohaibgit - You may not be able to use this 'as-is'. Take a look at your code in the class where the SaxParserFactory is instantiated, and ensure that you're setting the features to ensure it is not susceptible to XXE

@ecki

This comment has been minimized.

Copy link

@ecki ecki commented Feb 9, 2021

The code is a bit missleading, I would not request a parser and reader from the factory before configuring the factory. (and it should not nead to configure the reader from a configured factory in that case, right?)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment