Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Provide a secure XML parser in SecurityHelpers, use it throughout.
The secure XML parser does not allow entity references to refer to external entities; allowing this exposes an application to XXE (XML External Entity) attacks, where the external reference can be to a local file with sensitive data, whose contents will then appear in the resulting parse error messages. External entities are ignored and will not appear in the parsed or reserialized XML. All of Lift's built-in XML parsing now uses Helpers.secureXML instead of directly using scala.xml.XML, including in tests. More at https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing . Signed-off-by: Diego Medina <diego@fmpwizard.com>
- Loading branch information
1 parent
5c54df3
commit fb6acf6
Showing
7 changed files
with
56 additions
and
18 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters