XML? Be cautious!
Mateusz Świderek
6554

Quick note wrt

“Sadly, most Java XML parsers have XXE enabled by default.”.

The reason for this is, I think, that this is what XML specification mandates: XML document processing should apply all entity expansion as directed.
And suppressing such expansion could be considered as non-compliance.
As a result some specifications (Stax on Java, for example; and probably SAX as well) mandate defaults that are not optimal from security perspective — that is, should only be used for trusted content, and never for xml generated by clients.

In practical terms I agree that defaults for this day and age defaults should be more conservative, since anyone who knows what XML entities are should probably be expected to enable their handling. I am just noting why defaults differ from your reasonable expectations.

Like what you read? Give @cowtowncoder a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.