On 16/11/2025 18:26, Martynas Jusevičius wrote:
Created an issue here: https://github.com/apache/jena/issues/3595
issue resolved - there was a copy of a Xerces artifact coming from a
non-Jena dependency.
I want to protect my RDF/XML I/O code against Billion laughs, external
DTD and similar exploits.
XML parsers instances used by Jena itself come configured by
"JenaXMLInput" that follows [*].
Remote DTDs and external entity references are disabled.
In addition, when using the built-in JDK parser, there are JDK provided
limits applied for excessive entity expansion.
https://docs.oracle.com/javase/tutorial/jaxp/limits/limits.html
Andy
[*]
https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
