Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Disable DTD and external entities support in XmlEventDecoder to prevent XXE and XML bomb attack [SPR-15797] #20352
An instance of XMLInputFactory in XmlEventDecoder supports DTD and external entities.
Affects: 5.0 RC2
Referenced from: commits e4651d6
Juergen Hoeller commented
We have a common setup for a defensive
Thanks for raising this - just in time for 5.0 RC3!