The XML module provide a Plugin allowing easy production and consumption of XML. Secure by default, gradually relaxable.

XML Processing

The Java ecosystem is rich when it somes to XML librairies, maybe too much. But it seems to be the case in many stacks. This modules leverage the standard JAXP APIs providing StAX, SAX, DOM, XSLT and XPath processing. No fancy fluent API is provided but the plugin expose a collection of utility methods that should cover most of the frequent use cases.

Under the hood, Woodstox is used for stream pull parsing (StAX) ; Xerces for stream push parsing (SAX & SAX2), DOM handling and Schema validation ; and Saxon for XSLT, XPath and XQuery support.

Special attention has been taken to normalize and tighten the security of XML processing amongst used libraries.

DTD is dangerous

By default, DTD processing is disabled. It can easily be enabled by using the setValidating() method of SAXParserFactory or DocumentBuilderFactory.

But before enabling it beware that if you process documents coming from untrusted sources, one could easily DoS the application (eg. OutOfMemoryError using not so cleverly crafter regular expressions or simply consume all your computing power using exponential or polynomial nested entity references). Theses attacks are know as XML Entity Expansion Attacks or Billion laughs.

You have been warned.

External Entities

Default behaviour is to fail on any external entities lookup. That’s pretty good for your safety as this could be used to read files from the file system, internal network, or DoS the application. But it is not good if you need complex validation and/or transformation processing. Think of this as firewall rules, you start with a simple Deny All rule then open what you need, knowing what you are doing.