The XML module provide a Plugin allowing easy production and consumption of XML. Secure by default, gradually relaxable.
The Java ecosystem is rich when it somes to XML librairies, maybe too much. But it seems to be the case in many stacks. This modules leverage the standard
JAXP APIs providing
XPath processing. No fancy fluent API is provided but the plugin expose a collection of utility methods that should cover most of the frequent use cases.
Special attention has been taken to normalize and tighten the security of XML processing amongst used libraries.
DTD is dangerous
But before enabling it beware that if you process documents coming from untrusted sources, one could easily DoS the application (eg.
You have been warned.
Default behaviour is to fail on any external entities lookup. That’s pretty good for your safety as this could be used to read files from the file system, internal network, or DoS the application. But it is not good if you need complex validation and/or transformation processing. Think of this as firewall rules, you start with a simple
Deny All rule then open what you need, knowing what you are doing.