## XXE 防御
使用语言中推荐的禁用外部实体的方法
**PHP:**
“`php
libxml_disable_entity_loader(true);
“`
**JAVA:**
“`java
DocumentBuilderFactory dbf =DocumentBuilderFactory.newInstance();
dbf.setExpandEntityReferences(false);
.setFeature(“http://apache.org/xml/features/disallow-doctype-decl”,true);
.setFeature(“http://xml.org/sax/features/external-general-entities”,false)
.setFeature(“http://xml.org/sax/features/external-parameter-entities”,false);
“`
**Python:**
“`python
from lxml import etree
xmlData = etree.parse(xmlSource,etree.XMLParser(resolve_entities=False))
“`
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
请登录后查看评论内容