Example #1
0
        /// <summary>
        /// Configures the DocumentBuilderFactory in a way, that it is protected against XML External Entity Attacks.
        /// If the implementing parser does not support one or multiple features, the failed feature is ignored.
        /// The parser might not protected, if the feature assignment fails.
        /// </summary>
        /// <seealso cref= <a href="https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet">OWASP Information of XXE attacks</a>
        /// </seealso>
        /// <param name="dbf"> The factory to configure. </param>
//JAVA TO C# CONVERTER WARNING: 'final' parameters are not available in .NET:
//ORIGINAL LINE: private void protectAgainstXxeAttacks(final javax.xml.parsers.DocumentBuilderFactory dbf)
        private void protectAgainstXxeAttacks(DocumentBuilderFactory dbf)
        {
            try
            {
                dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
            }
            catch (ParserConfigurationException)
            {
            }

            try
            {
                dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
            }
            catch (ParserConfigurationException)
            {
            }

            try
            {
                dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
            }
            catch (ParserConfigurationException)
            {
            }

            dbf.XIncludeAware          = false;
            dbf.ExpandEntityReferences = false;
        }