Skip to content

Instantly share code, notes, and snippets.

Created March 10, 2015 21:53
Show Gist options
  • Save asudhakar02/45e2e6fd8bcdfb4bc3b2 to your computer and use it in GitHub Desktop.
Save asudhakar02/45e2e6fd8bcdfb4bc3b2 to your computer and use it in GitHub Desktop.
Secure SAXParserFactory that prevents XXE
import javax.xml.parsers.ParserConfigurationException; // catching unsupported features
import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
import org.xml.sax.SAXNotRecognizedException; // catching unknown features
import org.xml.sax.SAXNotSupportedException; // catching known but unsupported features
import org.xml.sax.XMLReader;
SAXParserFactory spf = SAXParserFactory.newInstance();
SAXParser saxParser = spf.newSAXParser();
XMLReader reader = saxParser.getXMLReader();
try {
// Xerces 1 -
// Xerces 2 -
// Using the SAXParserFactory's setFeature
spf.setFeature("", false);
// Using the XMLReader's setFeature
reader.setFeature("", false);
// Xerces 2 only -
spf.setFeature("", true);
// remaining parser logic
} catch (ParserConfigurationException e) {
// Tried an unsupported feature.
} catch (SAXNotRecognizedException e) {
// Tried an unknown feature.
} catch (SAXNotSupportedException e) {
// Tried a feature known to the parser but unsupported.
} catch ... {
Copy link

Got it,it's useful for me!

Copy link

If you came here from and are wondering about DocumentBuilderFactory, I have a Gist for that.

DocumentBuilderFactory that mitigates XXE using OWASP guidance:

Copy link

goetzseb commented Aug 7, 2020

Do I have to configure the parser and reader instance seperately or do they get configured if the instances are created after the factory is configured?

Copy link

asudhak commented Aug 31, 2020

The configuration is only for the factory. You don't need any additional configuration steps.

Copy link

Where should I place this class so that it works?
I want to prevent XXE in my java SOAP project

Copy link

asudhak commented Sep 29, 2020

Hi @Sohaibgit - You may not be able to use this 'as-is'. Take a look at your code in the class where the SaxParserFactory is instantiated, and ensure that you're setting the features to ensure it is not susceptible to XXE

Copy link

ecki commented Feb 9, 2021

The code is a bit missleading, I would not request a parser and reader from the factory before configuring the factory. (and it should not nead to configure the reader from a configured factory in that case, right?)

Copy link

Two comments, if you can't spf.setFeature("", true); because this means your parser throws an error if a DTD is included in the document (which might be there from legacy documents).

So we found we had to disable the external loading using spf.setFeature("", false);

This feature gets ignored though by xerces if you set the setValidating on SAXParserFactory to true, so make sure that is set to false or xerces will always try to load the DTD and external DTDs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment