OpenDaylight JIRA https://jira.opendaylight.org This file is an XML representation of an issue en-us 8.20.10 820010 22-06-2022 [YANGTOOLS-1211] Can XML injection protection settings be added to XmlParserStream.java? https://jira.opendaylight.org/browse/YANGTOOLS-1211 yangtools <p>Can XML injection protection settings be added to XmlParserStream.java? For example:<br/> final TransformerFactory tf = TransformerFactory.newInstance();<br/> tf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);</p> YANGTOOLS-1211 Can XML injection protection settings be added to XmlParserStream.java? Improvement Low Open Unresolved Unassigned march much Mon, 25 Jan 2021 13:23:47 +0000 Mon, 25 Jan 2021 14:36:01 +0000 0 2 <p>I do not see how it could be attacked even today. The transformer does not process a raw document, but rather a stream of events coming from a (I am pretty sure) secured XMLStreamWriter. By the time the transformer sees it, the document's contents should've been defanged.</p> <p>If not, please provide a test case.</p> Development Rank 0|i03wu7: