XML Enternal Entity (XXE) Vurnability

Thomas Broyer

2018-05-28 13:12:44 UTC

Post by Deepak Antil
Is GWT is prone to XXE Vulnerability by default or it require any specific
configuration for that?

TL;DR: No.

Post by Deepak Antil
XML Prevention Sheet taking about settings for common XML parsers.
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet
Not sure what internally configured in GWT internal used XML parsers.

GWT will (AFAIK) load and process XXEs of *.gwt.xml files when you compile,
test or debug your code; but *.gwt.xml files will either be written by
yourself/your team, or come from external dependencies, so you have to be
just as careful as with any external code that you'll run on your machine.
com.google.gwt.xml.* or com.google.gwt.xhr.* defer to native browser APIs,
so they're only vulnerable if your browser is vulnerable.
GWT does not make use of XML in its server-side code (for RPC or
RequestFactory) and does not otherwise provide any XML parsing facility
itself that would be vulnerable.

--
You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+***@googlegroups.com.
To post to this group, send email to google-web-***@googlegroups.com.
Visit this group at https://groups.google.com/group/google-web-toolkit.
For more options, visit https://groups.google.com/d/optout.