Hi, There has been some work done on the trunk [1] to make it easier for users to protect themselves but it isn't likely to change any defaults. Users need to configure XML parsers appropriately for their scenario and there are plenty of ways they can do that if they're concerned about XXE.
Thanks. [1] http://markmail.org/message/cj2ytc62gczbplum Michael Glavassevich XML Technologies and WAS Development IBM Toronto Lab E-mail: mrgla...@ca.ibm.com E-mail: mrgla...@apache.org Jim Manico <j...@manico.net> wrote on 02/26/2015 07:38:54 AM: > Hello, > > I am a security researcher worried about the threat of XXE in Java parsers. > > https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing > > Java 8 made the choice to disable External Entities by default and > I'd love to see Xerces2 make the same choice. This is a pretty > serious risk to be left on by default. > > Has there been any discussion on this before? Forgive me if I am > late to the game here. > > Aloha, > -- > Jim Manico > @Manicode > (808) 652-3805 > --------------------------------------------------------------------- > To unsubscribe, e-mail: j-users-unsubscr...@xerces.apache.org > For additional commands, e-mail: j-users-h...@xerces.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: j-users-unsubscr...@xerces.apache.org For additional commands, e-mail: j-users-h...@xerces.apache.org
