saxreader-xxe
Billion Laughs Attack
. It is our recommendation to secure this parser against XXE attacks by configuring PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true). Alternatively, the following configurations also provide protection against XXE attacks.
$PARSER.setFeature(“http://xml.org/sax/features/external-general-entities”, false)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: Java XXE prevention