Improve disabling access to external entities in XML parsing for TransformerFactory 

Issue date: 10-05-2021
Affects versions: 14.5

Security Issue ID



Affected Product Version(s)

14.5.1 and previous releases.




Avoid FEATURE_SECURE_PROCESSING feature to protect from XXE attacks because depending on the implementation:

  • it has no effect to protect the parser from XXE attacks but helps guard against excessive memory consumption from XML processing.
  • or it's just an obscur shortcut (it could set ACCESS_EXTERNAL_DTD and ACCESS_EXTERNAL_SCHEMA to "" but without guarantee).

All applicable code fragments have been updated to the following compliant code:

DocumentBuilderFactory df = DocumentBuilderFactory.newInstance(); 
df.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); // Compliant 
df.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); // compliant 



Customers using the 14.x major versions are recommended to upgrade to the latest version.