The Risk
XML lets a document declare entities, which are named placeholders the parser expands. An external entity points the parser at a URL or a local file path. If your application parses XML from untrusted users with a permissive parser, an attacker can declare an entity that references a sensitive file or an internal address. The parser then expands it and may leak the contents back in a response or trigger requests to systems behind your firewall.
This class of bug is called XXE, short for XML External Entity. It can expose configuration files, leak server side request access, or exhaust resources.
The Defense
The core fix is simple. Disable external entities and document type definitions in every XML parser you use.
- Turn off DTD processing entirely when the format does not need it.
- Disable external general entities and external parameter entities.
- Prefer formats like JSON when you only need simple data exchange.
- Keep parser libraries patched, since safe defaults have improved over time.
Key idea
Treat XML as untrusted input and configure parsers to refuse external entities and DTDs so no document can read files or reach internal systems.