Question

当我运行HP fortify时，以下代码作为XML外部实体注入.Problem行被指定为错误行。感谢任何帮助。

private Document parseXmlString(String stringname, boolean validating) {
        try {

            DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
            factory.setValidating(validating);

            ByteArrayInputStream is = new ByteArrayInputStream(stringname.getBytes());


            Document doc = factory.newDocumentBuilder().parse(is);//Error Line
                return doc;
            } catch (SAXException e) {
                // A parsing error occurred; the xml input is not valid
            } catch (ParserConfigurationException e) {

            } catch (IOException e) {
            }
            return null;
    }

Answer 1

我希望这就是你要找的东西： https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing

XML外部实体注入（输入验证和表示，数据流）

1 个答案: