tainted-xmlreader-xxe-spring
Billion Laughs Attack
. It is our recommendation to secure this parser against XXE attacks by configuring the XMLReader parser with parser.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)
. Alternatively, the following configurations also provide protection against XXE attacks. parser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD,"")
, configuring the both of parser.setFeature("http://xml.org/sax/features/external-general-entities", false)
and parser.setFeature("http://xml.org/sax/features/external-parameter-entities", false)
. For more information, see: Java XXE prevention