https://bz.apache.org/bugzilla/show_bug.cgi?id=65704
Bug ID: 65704 Summary: The class XmlUtil.java have XXE security issue Product: Taglibs Version: 1.2.5 Hardware: PC Status: NEW Severity: normal Priority: P2 Component: Unknown Taglib Assignee: dev@tomcat.apache.org Reporter: powercomt...@huawei.com Target Milestone: --- Created attachment 38102 --> https://bz.apache.org/bugzilla/attachment.cgi?id=38102&action=edit source code At the line 88, XML parser configured 'tf' does not prevent nor limit external entities resolution. This can expose the parser to an XML External Entities attack.Using XML parsers configured to not prevent nor limit external entities resolution can expose the parser to an XML External Entities attack. For example as below: tf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); i think taglibs can add the above content first and parse the xml on next step, it will be better. Thanks -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org