If customizations do not require entity expansion, use the glide.stax.allow_entity_resolution property to completely disable external entity expansion. The XML completes parsing but doesn't include any internal or external entities.

Disable entity expansion on your instance to secure your instance from attacks such as ability to read system files, and Denial of Service. Use the system property to disallow XML entities to be expanded during parsing by the streaming parser (XMLDocument2).

Set the glide.stax.allow_entity_resolution system property to false to disable entity expansion on your instance. If this property does not appear in the System Properties [sys_properties] table, the default value is true. Create the property record and set the value to false to change it's value.

Prerequisites

Before setting this property:
Warning: This is a safe harbor property, meaning the value can't be altered once it's changed. It is non-revertible.

More information

AttributeDescription
Property name glide.stax.allow_entity_resolution
Configuration type System Properties (/sys_properties_list.do)
Category Validation, sanitization, and encoding
Purpose This remediation control must be enabled to defend against an XML Entity Expansion/Billion Laugh attack.
Recommended value false
Default value true
Functional impact If the customization is using entity expansion, then, the Now Platform might block further processing.
Security risk (Critical) An attacker can use this vulnerability to expand data exponentially, quickly consuming all system resources.
Workaround If the customization requires entity expansion, set this property to true and follow the steps documented in Require XMLdoc2 entity validation with allowlistDisable entity expansion [Updated in Security Center 1.3].

To learn more about adding or creating a system property, see Add a system property

For more information about OWASp resources, see OWASp.