Tel Map


Saxon HE External Entity Processing ( XXE )

In this article I will describe how to prevent Saxon from parsing external entities to avoid XXE attacks.

Basically you should be very careful when parsing XML files from untrusted sources. Otherwise this can lead to serious security issues.

XML External Entity Attack


If you parse arbitrary XML files from users and do not set up your XML parser correctly, the example above would lead to the content of the file “etc/passwd” being automatically embedded into the parsed XML structure.


If your code parses an XML (test.xml see above) via Saxon like the code shown below, then this would to the content of “/etc/passwd” being printed out.

In other XML parser implementations, there typically is a setter for features, where you can pass in settings like

In Saxon this setting was actually hidden quite well. In Saxon this setting has to be passed on the actual XML parser by concatenating two setting strings. This took me quite some time to figure out ( see below).

After putting this setting in, the code above does not longer print the content of the included file.

Hope this little article saves time for some of you guys.

If you have any questions or comments, please leave a message below.





Leave a Reply

Your email address will not be published. Required fields are marked *