scireum · ymo-sci · Dec 11, 2024 · Dec 9, 2024
diff --git a/src/main/java/sirius/pasta/noodle/macros/XmlProcessingMacro.java b/src/main/java/sirius/pasta/noodle/macros/XmlProcessingMacro.java
@@ -18,6 +18,7 @@
 import sirius.web.resources.Resource;
 
 import javax.annotation.Nullable;
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.transform.Transformer;
 import javax.xml.transform.TransformerFactory;
@@ -104,6 +105,7 @@ protected Document parseDocument(InputSource source) {
     protected Document parseDocument(InputSource source, @Nullable String expectedRootElement) {
         try {
             DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+            factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
             Document document = factory.newDocumentBuilder().parse(source);
 
             if (Strings.isFilled(expectedRootElement) && !Strings.areEqual(expectedRootElement,

diff --git a/src/main/java/sirius/web/security/SAMLHelper.java b/src/main/java/sirius/web/security/SAMLHelper.java
@@ -27,6 +27,7 @@
 
 import javax.annotation.Nonnull;
 import javax.annotation.Nullable;
+import javax.xml.XMLConstants;
 import javax.xml.crypto.AlgorithmMethod;
 import javax.xml.crypto.KeySelector;
 import javax.xml.crypto.KeySelectorException;
@@ -256,6 +257,7 @@ private SAMLResponse parseAssertion(Element assertion, String fingerprint) {
     private Document getResponseDocument(InputStream inputStream)
             throws SAXException, IOException, ParserConfigurationException {
         DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+        factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
         factory.setNamespaceAware(true);
         return factory.newDocumentBuilder().parse(inputStream);
     }

diff --git a/src/main/java/sirius/web/templates/pdf/ImageReplacedElementFactory.java b/src/main/java/sirius/web/templates/pdf/ImageReplacedElementFactory.java
@@ -22,6 +22,7 @@
 import sirius.web.templates.pdf.handlers.PdfReplaceHandler;
 
 import javax.annotation.Nonnull;
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
@@ -84,6 +85,7 @@ private Optional<ReplacedElement> tryCreateReplacedSvgElement(@Nonnull Element e
 
         try {
             DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
+            documentBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
             DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder();
 
             Document svgDocument = documentBuilder.newDocument();