"Cantor, Scott" <canto...@osu.edu> wrote on 03/04/2015 12:16:03 PM:
> From: "Cantor, Scott" <canto...@osu.edu> > To: "j-users@xerces.apache.org" <j-users@xerces.apache.org>, > Date: 03/04/2015 12:18 PM > Subject: Re: Hello and XXE > > On 3/4/15, 5:08 PM, "Jim Manico" <j...@manico.net> wrote: > > > > >With respect, XXE is a massive vulnerability that is turned off by > >default in Java 8 as well as IBM parsers. Is there any proof or risk > >model I could provide to convince Xerces to turn this off by default? > > +1 > > And it's not the only unfixed vulnerability in play (per the note I just > sent). -1. XXE is not a vulnerability in the parser. It may be a vulnerability for an application/product, but that is the developer's responsibility to apply proper configuration to protect themselves in the right context. > -- Scott Michael Glavassevich XML Technologies and WAS Development IBM Toronto Lab E-mail: mrgla...@ca.ibm.com E-mail: mrgla...@apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: j-users-unsubscr...@xerces.apache.org For additional commands, e-mail: j-users-h...@xerces.apache.org
