Is it true (or at least makes sense) that one can have a XXE attack on Javascript? This is, when trying to parse XML with JS, does it process external entities? But this parsing is executed client side, am I right? What harm can it do to a server?
How can we prevent such attacks on Javascript XML DOM or Jquery or alike?
Thank you! Cheers
No, maybe old internet explorers were vulnerable, but current browsers not. (I tested it about 2 years ago with ie, ff, chrome, opera desktop browsers. I could not find an installer to try out, but there were rumors, that this kind of attack is maybe possible with ie5 or ie6. So this is just interesting, not a real threat by client side programming.)
In general, if you want to prevent such an attack, you have to turn off processing external entities in your XML parser, that's all.