Skip to content

disable external entity resolution in text_xml writeTo#204

Open
arib06 wants to merge 1 commit into
eclipse-ee4j:masterfrom
arib06:textxml-xxe-external-entities
Open

disable external entity resolution in text_xml writeTo#204
arib06 wants to merge 1 commit into
eclipse-ee4j:masterfrom
arib06:textxml-xxe-external-entities

Conversation

@arib06

@arib06 arib06 commented Jul 3, 2026

Copy link
Copy Markdown

the identity transform in text_xml.writeTo parses the supplied DataSource/Source without disabling external entities, so writing a text/xml part whose content comes from untrusted xml resolves SYSTEM entities and leaks local file contents (or reaches internal urls) into the output; disable secure-processing plus external DTD/stylesheet access on the TransformerFactory so the source is copied without fetching external resources.

Signed-off-by: mohammed arib <arib@bugqore.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant