<quote> > Do you know what the Java settings are that would make it vulnerable > to this attack?
Ignoring comments, the usual entity expansion and DTD issues, and a setting to coalesce CDATA into Text nodes are the ones that can create or prevent problems. That in combination with the actual DOM calls being done can interact in various ways that create problems or prevent them. The "safe" mode, insofar as anything is safe, is to ignore comments (*), prevent DTDs from appearing and block entity expansion, and to coalesce CDATA so it never appears in the DOM. -- Scott (*) This of course prevents signing comments. You can still use #WithComments c14n methods, but if any comments were in the DOM when signed, the other end will fail to validate. </quote> Is there any reason why the standard allowed #WithComments? I cannot think a single reason why would you want comments in SAML elements. It makes life so much more complicated.