Closed cgocast closed 8 months ago
It is documented how to protect SchemaFactory https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.md#schemafactory
Yes, I am aware. I am just saying that the sample given in https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.md#validator does not follow the recommendations you are linking to. In my opinion, OWASP Cheat Sheet should avoid giving code samples that are bad practice.
Yes @cgocast good catch! Do you want to make a PR for this one?
Sure, I will write a PR.
Awesome thanks!
What is missing or needs to be updated?
The sample to a protect a
javax.xml.validation.Validator
does not follow the recommendations given to protect ajavax.xml.validation.SchemaFactory
. The following lines are missing:How should this be resolved?
Add the two missing lines in the sample.
Add a link to [the documentation of newValidator()](https://docs.oracle.com/javase%2F7%2Fdocs%2Fapi%2F%2F/javax/xml/validation/Schema.html#newValidator()) which states: