You are viewing a plain text version of this content. The canonical link for it is here.
Posted to c-users@xerces.apache.org by liangsheng <ha...@hotmail.com> on 2015/01/21 09:34:09 UTC
How to avoid XML External Entity (XXE) Vulnerability with Xerces-c++
Hello: I am using Xerces-c++ 2.7.0. I work with SAX2 interface.
I just know about the XXE vulnerability, that is using entity expansion or using external entity attack to consume the resource of an XML parser or slower the parsing time.https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
I am thinking a method to avoid the attack using XXE, but failed to find a way with Xerces-c++ SAX2.
First I found that JAXP can disable the doctype in XML. Then I found Xerces-J can disallow an inline DTD. However these two interfaces are of Java.
I also found that Xerces-c++ support a security manager which can protect too many entity expansion. However this class can be used only in SAXParser class. As I know SAXParser is of SAX. In SAX 2, we use SAX2XMLReader.
So it seems I can't find a method to disable or constraint the entity expansion in Xerces-c++ with SAX2.
Could anyone help me on this issue?
Best Regards hardrock