On Monday, May 28, 2018 at 1:34:59 PM UTC+2, Deepak Antil wrote: > > Is GWT is prone to XXE Vulnerability by default or it require any specific > configuration for that? >
TL;DR: No. > XML Prevention Sheet taking about settings for common XML parsers. > > https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet > > Not sure what internally configured in GWT internal used XML parsers. > GWT will (AFAIK) load and process XXEs of *.gwt.xml files when you compile, test or debug your code; but *.gwt.xml files will either be written by yourself/your team, or come from external dependencies, so you have to be just as careful as with any external code that you'll run on your machine. com.google.gwt.xml.* or com.google.gwt.xhr.* defer to native browser APIs, so they're only vulnerable if your browser is vulnerable. GWT does not make use of XML in its server-side code (for RPC or RequestFactory) and does not otherwise provide any XML parsing facility itself that would be vulnerable. -- You received this message because you are subscribed to the Google Groups "GWT Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/google-web-toolkit. For more options, visit https://groups.google.com/d/optout.
