6

I have an android app, in which user can enter any xml source url to parse. My app then parses the xml(if valid) and displays results.

The issue is, if the user enters an untrusted xml source url, the app and/or the device might be effected.

What are the best ways to identify risk and prevent exploit.

With my research I found that enabling FEATURE_SECURE_PROCESSING and disabling expansion might help. But can anyone tell me what it is, and how do I achieve it.

Thanks.

Improve this question
1
  • Do you use a schema to validate the XML content? Commented May 31, 2012 at 17:34

2 Answers 2

Reset to default
6

After researching, I found this. I hope this would solve my problem.

To enable FEATURE_SECURE_PROCESSING

SAXParserFactory spf = SAXParserFactory.newInstance();
spf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);

Disable DTDs

spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Did this actually work? I am getting an exception when doing this.
@digitizedx Were you able to get out of exception. I am getting javax.xml.parsers.ParserConfigurationException: apache.org/xml/features/disallow-doctype-decl
@ArpitGarg. No. OWASP suggest some alternatives. So I just followed owasp.org/index.php/…
2

  • For SAX and DOM parsers, disallowing DTD should be sufficient as dcanh121 noted.

    factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);

  • For StAX parser:

    factory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES, false);

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.