This has been discussed many times before. Users are required to configure XML parsers appropriately for the environment they're running their application in. JAXP provides many ways of disabling DTD processing and entity resolution. The default behaviour is what's required by the spec. It isn't changing.
Thanks. Michael Glavassevich XML Technologies and WAS Development IBM Toronto Lab E-mail: [email protected] E-mail: [email protected] Mukul Gandhi <[email protected]> wrote on 05/01/2018 01:37:22 AM: > Hi Jim, > Requesting you to please, create a separate thread on "dev" list > to discuss this issue. You may also either create a Xerces bug or an > improvement request in JIRA. > > On Mon, Apr 30, 2018 at 9:43 PM, Jim Manico <[email protected]> wrote: > Forgive this disruption but Xerces allows external entity resolution > to be enabled by default with is a major vulnerability. A simple > config setting change would turn this, rightfully, off by default. > > For more info please see https://cwe.mitre.org/data/definitions/611.html > -- > Jim Manico > @Manicode > Secure Coding Education > +1 (808) 652-3805 > > > -- > Regards, > Mukul Gandhi
