Roberto Cortez [http://community.jboss.org/people/radcortez] created the discussion "Disable DTD declaration" To view the discussion, visit: http://community.jboss.org/message/536246#536246 -------------------------------------------------------------- Hi, How can i disable the doctype declarations, to prevent xxe injection? At the moment, I'm using JBoss 4.2.3 with JBossWS 3.1.1. and i can do stuff like this: <!DOCTYPE root [ <!ENTITY xxe SYSTEM "/windows/system32/drivers/etc/hosts"> ]> And inject the xxe entity in my soap parameters. How can i prevent this from happening? I found this page http://java.sun.com/j2se/1.5.0/docs/guide/xml/jaxp/JAXP-Compatibility_150... http://java.sun.com/j2se/1.5.0/docs/guide/xml/jaxp/JAXP-Compatibility_150..., which speaks about disabling the dtd declarations. Is this the way to go? Or is there some other way? Best Regards Roberto Cortez -------------------------------------------------------------- Reply to this message by going to Community [http://community.jboss.org/message/536246#536246] Start a new discussion in JBoss Web Services at Community [http://community.jboss.org/choose-container!input.jspa?contentType=1&...]