Expose XML Parser Configuration to prevent XXE

Description

There is no way to access the XML Parser features (used by XmlParse / XmlSearch and XmlTransform) in order to prevent XML External Entity (XXE) vulnerabilities in CFML. These features should be exposed to the developer in `Application.cfc` for example:

this.xmlFeatures["FEATURE_IDENTIFIER"] = value;

Please see https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#Java for implementation details.

Status

Assignee

Igal Sapir

Reporter

Pete Freitag

Labels

None

Sprint

None

Fix versions

Priority

Blocker
Configure