[jdom-interest] How to disable <!DOCTYPE > parsing

Jason Hunter jhunter at xquery.com
Thu Dec 16 16:45:17 PST 2004


(I'm quick with the FAQ pointers today.)


Raffaele Sena wrote:

> I am pretty sure this is not a specific JDOM problem but I wanted to see 
> if any of you has an idea.
> I am parsing some XML data using JDOM and SAXBuilder. The data is posted
> by a web client to execute some server-side APIs. The format is very
> simple so I don't have a DTD or schema for it. Also, I parse the document
> with no validation (since I don't have a DTD to validate against).
> Somebody, to test our "security holes" came up with the idea of passing a 
> <!DOCTYPE > anyway with an arbitrary URL for the DTD and what do you know, 
> the XML parser, validation or not, tries to access it (so they claim is a 
> security hole because they can generate accesses from our server to 
> whatever server they put in the DTD URL. Pretty clever actually!)
> Again, I think this is a problem with the XML parser I am using. I found 
> out that Xalan has a special "feature" to disable DTD parsing (but I 
> didn't try because I don't want to use Xalan for this).
> First of all, should this happen if validation is disabled ?
> If that's out of JDOM control, can anybody think of a way to disable this 
> at the XML parser level (maybe subclassing some handler ?)
> Thanks!
> -- Raffaele
> _______________________________________________
> To control your jdom-interest membership:
> http://www.jdom.org/mailman/options/jdom-interest/youraddr@yourhost.com

More information about the jdom-interest mailing list