EchoSVG has some *DocumentFactory constructors with String argument, to specify the XML parser class as a string. To secure those parser (actually XMLReader) instances against XXE and SSRF attacks, the http://apache.org/xml/features/nonvalidating/load-external-dtd feature (as well as others) is disabled.
However, that feature only applies to Xerces-J and the Xerces-based parser that is bundled with the OpenJDK, so if another parser is being used it will not work. Even when using only the supported parsers this also limits their configurability, and one consequence is that XML entities are always going to be lost because no possibility is given to configure the XMLReader.
Moreover, the instantiation of the parser uses a deprecated method.
Solution: modify the constructors to use a XMLReader as argument instead of a String, and configure the parsers in a way that they can handle XML entities and are still secure.
EchoSVG has some *DocumentFactory constructors with
String
argument, to specify the XML parser class as a string. To secure those parser (actuallyXMLReader
) instances against XXE and SSRF attacks, thehttp://apache.org/xml/features/nonvalidating/load-external-dtd
feature (as well as others) is disabled.However, that feature only applies to Xerces-J and the Xerces-based parser that is bundled with the OpenJDK, so if another parser is being used it will not work. Even when using only the supported parsers this also limits their configurability, and one consequence is that XML entities are always going to be lost because no possibility is given to configure the
XMLReader
.Moreover, the instantiation of the parser uses a deprecated method.
Solution: modify the constructors to use a
XMLReader
as argument instead of aString
, and configure the parsers in a way that they can handle XML entities and are still secure.