XML files are vulnerable to XML External Entity (XXE) attacks when they include a DTD (Document Type Definition) that has a DOCTYPE declaration. Because of this risk, JasperReports Server can check for DOCTYPE declarations. By default, this protection is disabled, since the setting causes errors if your XML files are vulnerable to the attack. Consider enabling this setting if XXE attacks are a concern. For more information on this security issue, see Wikipedia's article on XML External Entity Attack.
Before enabling the check, ensure that the XML files in your repository don't include DOCTYPE declarations.
To enable XXE protection:
| 1. | Identify and edit any XML files in your JasperReports Server repository that include a DOCTYPE declaration. Delete the declaration and update the JasperReport on the server. Since JasperReports Server doesn't support DTDs themselves, we recommend removing them entirely. |
| 2. | Using a text editor, open the .../WEB-INF/applicationContext.xml file. |
| 3. | Locate the skipXXECheck property and set it to false. |
| 4. | Restart JasperReports Server. |
Recommended Comments
There are no comments to display.