Solve security issue parsing xml using SAX parser

java android xml security saxparser
dcanh121 picture dcanh121 · May 31, 2012 · Viewed 12.5k times · Source

I have an android app, in which user can enter any xml source url to parse. My app then parses the xml(if valid) and displays results.

The issue is, if the user enters an untrusted xml source url, the app and/or the device might be effected.

What are the best ways to identify risk and prevent exploit.

With my research I found that enabling FEATURE_SECURE_PROCESSING and disabling expansion might help. But can anyone tell me what it is, and how do I achieve it.

Thanks.

Answer

dcanh121 picture dcanh121 · May 31, 2012

After researching, I found this. I hope this would solve my problem.

To enable FEATURE_SECURE_PROCESSING

SAXParserFactory spf = SAXParserFactory.newInstance();
spf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);

Disable DTDs

spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);

Related questions

align text center with android

I know it sounds easy. I need to put a text in center, but when the text is too long it needs to go below, but still align in the center of my xml. Here's my code : <LinearLayout android:…

Read More
Android getting value from selected radiobutton

I have a piece of code with three RadioButtons within a RadioGroup. I want to set an onCheckedListener that will show the value of the RadioButton in a Toast. However what I have gotten so far is not working. How …

Read More
How to add a TextView to LinearLayout in Android

I am trying to add TextViews to my xml-defined layout in code. I have a xml-sheet, where a lot of Views are defined. But I have to add some views in code, so a create a LinearLayout in the xml-sheet: &…

Read More