Community
Participate
Working Groups
When we open xml file for edit, XXE vulnerability executed. This commit: https://git.eclipse.org/c/sourceediting/webtools.sourceediting.git/commit/xml/bundles/org.eclipse.wst.dtd.core/saxparser/org/eclipse/wst/dtd/core/internal/saxparser/DTDParser.java?id=4a559f69a942c764530a1f342b6ddd1e672ee4e7 brokes what it was fixed in this one: https://git.eclipse.org/c/sourceediting/webtools.sourceediting.git/commit/?id=9644d4217cd6e3be367d654a8320104d88ddfd6b Because expandEntityReferences is always set to "true": https://git.eclipse.org/c/sourceediting/webtools.sourceediting.git/tree/xml/bundles/org.eclipse.wst.dtd.core/contentmodel/org/eclipse/wst/dtd/core/internal/contentmodel/DTDImpl.java#n91 We workaround this issue by creating our CMDocumentFactory Factory and overriding the build methods.