mxGraphViewImageReader.java vulnerable to XXE attack

[lehanhua]

SAXParserFactory instance in convert() is missing flags to prevent external entity and doctype declaration, making it vulnerable to XXE attacks. At minimum set the flags used in ExportServlet.java example. Setting "http://apache.org/xml/features/nonvalidating/load-external-dtd" to false would additionally prevent loading of external DTD.

Below are steps to reproduce. It'll need external DTD to actually extract anything but from the stack trace is sufficient to show the class is vulnerable to XXE

1. Set up and run the Java example
2. POST to ServerView with the following payload
   xml=]>%26xxe%3b%26xxe;
3. Make a GET request to http://localhost:8080/ServerView
4. Verify it's trying to read an non-existent "/blah" file

[alderg]

Thanks for the report. This will be fixed in the next release.

[sylvestre]

Could you please tell us in which patch this issue has been fixed?
Thanks

[davidjgraph]

https://bitbucket.org/jgraph/mxgraph2/commits/7d159ca3259b961cbb1c51b4ea42cb408c624ff1