|
|
|
|
|
|
by reginaldo
4524 days ago
|
|
|
Fixing XXEs in Java is not a trivial thing to do. The best reference I know comes from Apache shindig [1], and you do have to make all those BUILDER_FACTORY.setAttribute calls, otherwise you block general external entities but allow parameter entities, which still leaves you vulnerable. [1] http://svn.apache.org/repos/asf/shindig/trunk/java/common/sr... |
|
|