saxbuilder-xxe
$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)
. Alternatively, the following configurations also provide protection against XXE attacks. $PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "")
$PARSER.setFeature("http://xml.org/sax/features/external-general-entities", false)
$PARSER.setExpandEntities(false)
It is also possible to use one of the constructor parameters that will result in a more secure parser by default: new SAXBuilder(XMLReaders.DTDVALIDATING)
or new SAXBuilder(XMLReaders.XSDVALIDATING)
. For more information, see: Java XXE prevention