Avoiding XXE attacks #353
Replies: 2 comments 2 replies
-
|
Is anyone able to answer this or make a recommendation? |
Beta Was this translation helpful? Give feedback.
-
|
It doesn't look like this library respects DOCTYPE definitions at all. I did a quick test and it seems entities are passed back as-is and doctypes are stripped. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks pluma. I ended up coming to the same conclusion |
Beta Was this translation helpful? Give feedback.
-
|
DOCTYPE entities are supported from v4 with a few limitations to avoid attacks. Please read Entities for more detail. |
Beta Was this translation helpful? Give feedback.
-
Hey
We are considering using fast-xml-parser to receive and parse xml in our production system. Does this library provide any ability to disable DOCTYPE definitions or external entities? We would like to secure our endpoint against XXE attacks in case one of our API keys was leaked.
Thanks,
Alex
Beta Was this translation helpful? Give feedback.
All reactions