[nl]

XXE's are nasty. Back in the early 2000's I found every single Java RSS parsers (pack then that was an important thing) was vulnerable.

I submitted patches for them all, but it was kinda nasty to fix in Java, because each XML parser had different custom properties to set. https://github.com/rometools/rome/blob/master/src/main/java/... is the hackiness I had to do for ROME.

[reginaldo]

Fixing XXEs in Java is not a trivial thing to do. The best reference I know comes from Apache shindig [1], and you do have to make all those BUILDER_FACTORY.setAttribute calls, otherwise you block general external entities but allow parameter entities, which still leaves you vulnerable.

[1] http://svn.apache.org/repos/asf/shindig/trunk/java/common/sr...