New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DocumentHelper.parseText could be vulnerable to XML Injection #28
Comments
|
this function can be merged into the version dom4j-2.0.2, so that the project which jdk version is under jdk8 can apply ? |
…arseText() helper.
…ext() helper. (cherry picked from commit 8f6a7f6)
(cherry picked from commit 53f923a)
…ext() helper. (cherry picked from commit 8f6a7f6)
The DocumentHelper.parseText could be used to convert Strings to a Document Object. But the function uses SAXReader to parse XML String which is vulnerable to XML Injection. To deal with this problem, we always using setFeature function to disllow doctype and entity. However you use the SAXReader directly and do not offer any function to allow users to config those features. So I think this is a problem here and if users used DocumentHelper.parse and the string to convert was controled by user input such as GET or POST parameters, the application would be vulnerable to XML Injection.
The text was updated successfully, but these errors were encountered: