How to prevent XSS attack while parsing XML
XML parsing vulnerable to XXE (SAXParser) Attack XML External Entity (XXE) attacks can occur when an XML parser supports XML entities while processing XML received from an untrusted source. Risk 1: Expose local file content (XXE: X ML e X ternal E ntity) ]> &xxe; Risk 2: Denial of service (XEE: X ml E ntity E xpansion) [...] ]> &lol9; Solution In order to avoid exposing dangerous feature of the XML parser, you can do the following change to the code. Vulnerable Code: SAXParser parser = SAXParserFactory.newInstance().newSAXParser(); parser.parse(inputStream, customHandler); The following snippets show two available solutions. You can set one feature or both. Solution using "Secure processing" mode: This setting will protect you against Denial of Service attack and remote file access. SAXParserFactory spf = SAXParserFactory.newInstance(); spf.setFeature(XMLConstants.FEATURE_SECURE_PROCES...