Recommended mitigation:
Replace this dangerous code:
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.isIgnoringElementContentWhitespace();
DocumentBuilder builder = factory.newDocumentBuilder();
Carlos Villa Sánchez carlosvillasanchez
🔨
AlainODea
/ DocumentBuilderFactory_XXE_mitigation.md
Last active
May 17, 2021 02:45
DocumentBuilderFactory that mitigates XXE using OWASP guidance
This file has been truncated, but you can view the full file.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| . | |
| .. | |
| ........ | |
| @ | |
| * | |
| *.* | |
| *.*.* | |
| 🎠| |
| 0 |
The postMessage() API is an HTML5 extension that permits string
message-passing between frames that don't share the same origin. It
is available in all modern browsers. It is not supported in IE6 and
IE7.
postMessage is generally considered very secure as long as the programmer is careful to check the origin and source of an arriving