This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

OWASP Periodic Table of Vulnerabilities - XML External Entities

Revision as of 21:26, 16 March 2016 by Jmanico (talk | contribs) (References)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Return to Periodic Table Working View

XML External Entities

Root Cause Summary

The XML parser is configured to process an unsafe DTD which includes external references to resources on the filesystem or other internal resources.

Browser / Standards Solution


Perimeter Solution


Generic Framework Solution

Disable external entity processing in the XML parser. Use strict, static, internally-defined DTDs and discard DTDs defined by XML documents. Force the application to load external content safely using framework file access code, instead of delegating the work to the XML parser.

Custom Framework Solution


Custom Code Solution


Discussion / Controversy

XXE is an unsafe development pattern and should be discarded in favor of safer methods of building documents from multiple sources.


XML External Entity Processing
XML External Entity (XXE) Prevention Cheat Sheet
XML External Entities (WASC)
CWE-611: Improper Restriction of XML External Entity Reference ('XXE')