tainted-saxparser-xxe-servlet
factory.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)
. Alternatively, the following configurations for the SAXParserFactory also provide protection against XXE attacks. factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)
, enabling both of factory.setFeature("http://xml.org/sax/features/external-general-entities", and
factory.setFeature(“http://xml.org/sax/features/external-parameter-entities”, false). Furthermore, you can configure the SAXParser itself with
parser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "")` to provide protection against XXE attacks. For more information, see: Java XXE prevention