There is no way to access the XML Parser features (used by XmlParse / XmlSearch and XmlTransform) in order to prevent XML External Entity (XXE) vulnerabilities in CFML. These features should be exposed to the developer in `Application.cfc` for example:
this.xmlFeatures["FEATURE_IDENTIFIER"] = value;
Please see https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#Java for implementation details.
Aliases are good! Being able to set this in the admin, with some explanatory text would be nice
Admin setting is beyond the scope of this ticket. Feel free to open a separate one for that.
This is solved for Lucee 18.104.22.168
I am having issues with my Atlassian/JIRA account so will close this officially ASAP
here are all the commits
documented the actual options for xmlfeatures