1 Reply Latest reply on Mar 20, 2007 10:42 AM by Thomas Diesler

    FEATURE_SECURE_PROCESSING and related dtd parsing config usa

    Scott Stark Master

      A question has come up around the dtd entity parsing denial of service issue raised here:

      http://www-128.ibm.com/developerworks/xml/library/x-tipcfsx.html
      http://java.sun.com/j2se/1.5.0/docs/guide/xml/jaxp/JAXP-Compatibility_150.html#JAXP_security

      Are we allowing for the use of the parser.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true) to limit the defaults?

      What about disabling doctypes via the http://apache.org/xml/features/disallow-doctype-decl feature:
      http://xerces.apache.org/xerces2-j/features.html