Expose XML Parser Configuration to prevent XXE

Description

There is no way to access the XML Parser features (used by XmlParse / XmlSearch and XmlTransform) in order to prevent XML External Entity (XXE) vulnerabilities in CFML. These features should be exposed to the developer in `Application.cfc` for example:

this.xmlFeatures["FEATURE_IDENTIFIER"] = value;

Please see https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#Java for implementation details.

Activity

Show:
Zac Spitzer
September 5, 2019, 7:45 PM

Aliases are good! Being able to set this in the admin, with some explanatory text would be nice

Igal
September 5, 2019, 7:49 PM

Admin setting is beyond the scope of this ticket. Feel free to open a separate one for that.

Igal
September 5, 2019, 8:56 PM

This is solved for Lucee 5.3.4.51

I am having issues with my Atlassian/JIRA account so will close this officially ASAP

Zac Spitzer
October 23, 2020, 9:34 PM
Edited

here are all the commits

Zac Spitzer
October 25, 2020, 12:49 AM

documented the actual options for xmlfeatures

Fixed

Assignee

Igal Sapir

Reporter

Pete Freitag

Labels

Sprint

None

Fix versions

Priority

Blocker
Configure