How to prevent XML External Entity attack with JDK6

Asked Mar 23 '17 at 20:14

Active Mar 24 '17 at 09:37

Viewed 490 times

My application uses JDK6. I have to fix the XXE vulnerability in my code, able to find solution as below. But the below code works only with JDK7. I have a limitation to fix this without upgrading to JDK7. The code I found as fix is

TransformerFactory tf = TransformerFactory.newInstance(); tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");

So far I tried to use the following code. But it did not fix the issue.

TransformerFactory tf = TransformerFactory.newInstance(); tf.setAttribute(XMLConstants.FEATURE_SECURE_PROCESSING, true);

edited Mar 24 '17 at 09:37

asked Mar 23 '17 at 20:14

Radhakrishna Sharma Gorenta

1,498
2
12
26

Have you found any workaround? i am facing similar issue.. i am on java8 but `treansformerFactoryImpl` is injected from `xalan` jar which does not support `ACCESS_EXTERNAL_DTD` – Naveen Jan 13 '21 at 11:31

How to prevent XML External Entity attack with JDK6

0 Answers0