xxe

JAXB You can prevent the Xml eXternal Entity (XXE) attack by unmarshalling from an XMLStreamReader that has the IS_SUPPORTING_EXTERNAL_ENTITIES and/or XMLInputFactory.SUPPORT_DTD properties set to false. JAX-WS A JAX-WS implementation should take care of this for you. If it doesn’t I would recommend opening a bug against the specific implmententation. EXAMPLE Demo package xxe; import javax.xml.bind.*; … Read more