I'm not sure I understand exactly what you're looking for but I'll give it a try.
It's possible to pass the exact XML parser that XMLBeans should use, see http://xmlbeans.apache.org/docs/2.6.0/reference/org/apache/xmlbeans/XmlOptions.html#setLoadUseXMLReader(org.xml.sax.XMLReader) and http://xmlbeans.apache.org/docs/2.6.0/reference/org/apache/xmlbeans/XmlOptions.html#setLoadUseDefaultResolver() Setting these options to your own parser and resolver should give you the full control on what resources XMLBeans operates. Cezar On Wed, 2013-01-30 at 16:40 -0800, Jon Gorrono wrote: > Hello. > > I didn't get a bite on the question below posted to the user@xmlbeans > list a couple of weeks ago so I am working up the chain ;) > > To restate the question, does xmlbeans use 'safe' defaults for xml > parsing features to avoid XXE and DTD operations? Both are capable of > exposing sensitive system documents and as conduit for XSS. > > And/or are the setting of parsing features exposed so that users of > xmlbeans can set them? > > > From the department of TMI, my immediate interest is in a project that > uses POI and poi uses xmlbeans to parse ooxml documents. POI punted me > to xmlbeans.... under the assumption that they have no control over > the parsing features used by xmlbeans. > > Can anyone here provide any insight? > > Thanks. > Jp > > > ---------- Forwarded message ---------- > From: Jon Gorrono <jpgorr...@ucdavis.edu> > Date: Mon, Jan 14, 2013 at 6:37 PM > Subject: XXE > To: u...@xmlbeans.apache.org > > > Hello. > > There's been a lot going around lately about XML External Entity > definitions and how they (and related constructs) can be exploited in > nefarious ways. > > Does xmlbeans set safe defaults for 'features' on xml processors? If > not, are the base objects accessible to developers (users of xmlbeans) > so that processing 'features' can be set? > > Thanks > > > -- > Jon Gorrono > PGP Key: 0x5434509D - > http{pgp.mit.edu:11371/pks/lookup?search=0x5434509D&op=index} > http{middleware.ucdavis.edu} > > > -- > Jon Gorrono > PGP Key: 0x5434509D - > http{pgp.mit.edu:11371/pks/lookup?search=0x5434509D&op=index} > http{middleware.ucdavis.edu} > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@xmlbeans.apache.org > For additional commands, e-mail: dev-h...@xmlbeans.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@xmlbeans.apache.org For additional commands, e-mail: dev-h...@xmlbeans.apache.org
