13:02, EEST
December 6, 2016
We transmit XML data to our OPC server via a method, containing a XmlElement parameter.
The XML data also contains a DOCTYPE, so we are getting error messages like this:
“DOCTYPE is disallowed when the feature “http://apache.org/xml/features/disallow-doctype-decl” set to true. “
How can we set “http://apache.org/xml/features/disallow-doctype-decl” to “false” ?
14:40, EEST
April 3, 2012
Hi,
This has been intentionally disabled due to prevent attacks: https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.md#java (starting from https://downloads.prosysopc.com/opcua/Prosys_OPC_UA_Java_SDK_3_Release_Notes.html#version-3-1-4)
Therefore I highly recommend not to allow that and fix the client sending the data to not send that. If you are sure data only comes from trusted sources (and that they got it from trusted sources etc.), this should allow it:
XMLFactoryCache.getDocumentBuilderFactory().setFeature(“http://apache.org/xml/features/disallow-doctype-decl”, false);
You might need to do others as well (see the owasp site linked above). Do this at the start of main before interacting with SDK code.
Most Users Ever Online: 518
Currently Online:
13 Guest(s)
Currently Browsing this Page:
1 Guest(s)
Top Posters:
hbrackel: 135
pramanj: 86
Francesco Zambon: 81
rocket science: 77
Ibrahim: 76
Sabari: 62
kapsl: 57
gjevremovic: 49
Xavier: 43
fred: 41
Member Stats:
Guest Posters: 0
Members: 681
Moderators: 16
Admins: 1
Forum Stats:
Groups: 3
Forums: 15
Topics: 1467
Posts: 6261
Newest Members:
graciela2073, sagarchau, elviralangwell4, Donnavek, Eddiefauth, DonaldPooma, fidelduke938316, Jan-Pfizer, DavidROunc, fen.pang@woodside.comModerators: Jouni Aro: 1010, Otso Palonen: 32, Tuomas Hiltunen: 5, Pyry: 1, Petri: 0, Bjarne Boström: 983, Heikki Tahvanainen: 402, Jukka Asikainen: 1, moldzh08: 0, Jimmy Ni: 26, Teppo Uimonen: 21, Markus Johansson: 42, Niklas Nurminen: 0, Matti Siponen: 321, Lusetti: 0, Ari-Pekka Soikkeli: 5
Administrators: admin: 1