We read our XML template files using javax.xml.parsers.SAXParserFactory. If there is XXE in the XML file we're reading, is there a way to turn off processing that?
thanks - dave
Yes, it is by default susceptible to XXE attacks.
Consult this cheat sheet for properly configuring the parser:
To summarize, you'll want to configure the relevant vulnerabilities with SAXParserFactory.setFeature(foo, bar) documentation