003-XXE 防御.md
615 B / 2021-07-17 00:01:40
## XXE 防御
使用语言中推荐的禁用外部实体的方法
**PHP:**
```php
libxml_disable_entity_loader(true);
```
**JAVA:**
```java
DocumentBuilderFactory dbf =DocumentBuilderFactory.newInstance();
dbf.setExpandEntityReferences(false);
.setFeature("http://apache.org/xml/features/disallow-doctype-decl",true);
.setFeature("http://xml.org/sax/features/external-general-entities",false)
.setFeature("http://xml.org/sax/features/external-parameter-entities",false);
```
**Python:**
```python
from lxml import etree
xmlData = etree.parse(xmlSource,etree.XMLParser(resolve_entities=False))
```