- 
                Notifications
    You must be signed in to change notification settings 
- Fork 92
Closed
Labels
Milestone
Description
@jroper says to add the following to XMLLoader.parser:
See http://blog.csnc.ch/2012/08/secure-xml-parser-configuration/
try { 
  f.setFeature("http://xml.org/sax/features/external-general-entities", false);
  f.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
} catch {
  case e: ParserConfigurationException => // warn that the SAXParserFactory supplied by the JDK doesn't support this feature, and that the application may therefore be vulnerable to external entity attacks, encourage to define your own parser instead
  case e: SAXNotRecognizedExcetpion => // as above
  case e: SaxNotSupportedException => // as above
}