Prevent XML Entity Expansion When Using org.apache.xalan.processor.TransformerFactoryImpl in JBoss EAP

Solution Verified - Updated -

Issue

  • Prevent XML Expansion
  • Cannot create TransformerFactory impl
  • Log shows error:

    javax.xml.transform.TransformerConfigurationException: Cannot set the feature 'http://javax.xml.XMLConstants/property/accessExternalDTD' on this TransformerFactory.
        at com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl.setFeature(TransformerFactoryImpl.java:526)
    
  • Feature is not recognized

    org.xml.sax.SAXNotRecognizedException: Property 'http://javax.xml.XMLConstants/property/accessExternalDTD' is not recognized.
    java.lang.IllegalArgumentException: Nicht unterstützt: http://javax.xml.XMLConstants/property/accessExternalDTD
    
  • OWASP recommends to guard the XML parser against XXE

Environment

  • Red Hat JBoss Enterprise Application Platform (EAP) 6 - 7.1
  • Java API for XML Processing (JAXP)
  • Setting transformerFactory.setFeature(XMLConstants.ACCESS_EXTERNAL_DTD, false);

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In