Hello: I am using Xerces-c++ 2.7.0. I work with SAX2 interface. I just know about the XXE vulnerability, that is using entity expansion or using external entity attack to consume the resource of an XML parser or slower the parsing time.https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing I am thinking a method to avoid the attack using XXE, but failed to find a way with Xerces-c++ SAX2. First I found that JAXP can disable the doctype in XML. Then I found Xerces-J can disallow an inline DTD. However these two interfaces are of Java. I also found that Xerces-c++ support a security manager which can protect too many entity expansion. However this class can be used only in SAXParser class. As I know SAXParser is of SAX. In SAX 2, we use SAX2XMLReader. So it seems I can't find a method to disable or constraint the entity expansion in Xerces-c++ with SAX2. Could anyone help me on this issue? Best Regards hardrock
