Prevent XML Entity Expansion When Using org.apache.xalan.processor.TransformerFactoryImpl in JBoss EAP

Solution Verified - Updated -

Issue

  • Prevent XML Expansion
  • Cannot create TransformerFactory impl

  • Log shows error:

    javax.xml.transform.TransformerConfigurationException: Cannot set the feature 'http://javax.xml.XMLConstants/property/accessExternalDTD' on this TransformerFactory.
    at com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl.setFeature(TransformerFactoryImpl.java:526)

  • Feature is not recognized

    org.xml.sax.SAXNotRecognizedException: Property 'http://javax.xml.XMLConstants/property/accessExternalDTD' is not recognized.
java.lang.IllegalArgumentException: Nicht unterstützt: http://javax.xml.XMLConstants/property/accessExternalDTD

  • OWASP recommends to guard the XML parser against XXE

Environment

  • Red Hat JBoss Enterprise Application Platform (EAP) 6 - 7.1
  • Java API for XML Processing (JAXP)
  • Setting transformerFactory.setFeature(XMLConstants.ACCESS_EXTERNAL_DTD, false);

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content