@Test public void testExternalEntityExpansion() throws SAXException, MalformedURLException { // Include a dummy file final File aFile = new File("src/test/resources/test1.txt"); assertTrue(aFile.exists()); final String sFileContent = StreamHelper.getAllBytesAsString( new FileSystemResource(aFile), CCharset.CHARSET_ISO_8859_1_OBJ); // The XML with XXE problem final String sXML = "<?xml version='1.0' encoding='utf-8'?>" + "<!DOCTYPE root [" + " <!ELEMENT root ANY >" + " <!ENTITY xxe SYSTEM \"" + aFile.toURI().toURL().toExternalForm() + "\" >]>" + "<root>&xxe;</root>"; final DOMReaderSettings aDRS = new DOMReaderSettings() .setEntityResolver( new EntityResolver() { public InputSource resolveEntity(final String publicId, final String systemId) throws SAXException, IOException { // Read as URL return InputSourceFactory.create(new URLResource(systemId)); } }); // Read successful - entity expansion! final Document aDoc = DOMReader.readXMLDOM(sXML, aDRS); assertNotNull(aDoc); assertEquals(sFileContent, aDoc.getDocumentElement().getTextContent()); // Should fail because inline DTD is present try { DOMReader.readXMLDOM( sXML, aDRS.getClone().setFeatureValues(EXMLParserFeature.AVOID_XXE_SETTINGS)); fail(); } catch (final SAXParseException ex) { // Expected assertTrue(ex.getMessage().contains("http://apache.org/xml/features/disallow-doctype-decl")); } }