Restrict XML external entities [Updated in Security Center 1.3 and 2.0]
-
- UpdatedFeb 11, 2025
- 1 minute read
- Yokohama
- Platform Security
Ensure that the glide.xml.entity.whitelist and glide.xml.entity.whitelist.enabled properties are set to the recommended values to prevent XML external entity (XXE) attacks.
Protect against XXE attacks by using an allow list to prevent attackers from including arbitrary HTTP requests that the server may execute. This could lead to additional attacks using the server's trust relationship with other entities.
Add http://java.sun.com/j2ee/dtds/ to the value of the glide.xml.entity.whitelist system property, then set the glide.xml.entity.whitelist.enabled system property to true.
Values other than http://java.sun.com/j2ee/dtds/ can be included in the in the glide.xml.entity.whitelist property, but are unnecessary for the out of the box platform state. Review any additional values to determine if they are safe.