xmlProtection
Description
Prohibits XML documents to be passed through that look like XML attacks on older parsers. Too many attributes, too long element names are such indications. DTD definitions will simply be removed.
Can be used in
spring:beans, if, internalProxy, proxy, registration, request, response, serviceProxy, soapProxy, stompProxy, swaggerProxy, transport and wsStompReassembler
Syntax
<xmlProtection removeDTD="boolean" maxElementNameLength="integer" maxAttibuteCount="integer" />
Listing 1: xmlProtection Syntax
Sample
<beans> <transport coreThreadPoolSize="20"> <ruleMatching /> <dispatching /> <userFeature /> <xmlProtection /> <httpClient /> </transport> </beans>
Listing 2: xmlProtection Example
Attributes
Name | Required | Default | Description | Example |
---|---|---|---|---|
maxAttibuteCount | false | 1000 | If an incoming request exceeds this limit, it will be discarded. | |
maxElementNameLength | false | 1000 | If an incoming request exceeds this limit, it will be discarded. | |
removeDTD | false | true | Whether to remove the DTD from incoming requests. |