Safeguard
Tag

xxe-prevention

Safeguard articles tagged "xxe-prevention" — guides, analysis, and best practices for software supply chain and application security.

8 articles

Industry Analysis

XXE Prevention in Ruby with Nokogiri NONET/NOENT

Nokogiri wraps libxml2, and one misconfigured parse call can leak local files or trigger SSRF. Here's how NONET and NOENT actually work, and how to lock them down.

Oct 23, 20258 min read
Industry Analysis

XXE Prevention in JavaScript: Disabling libxmljs noent

How the libxmljs noent option silently reopens XML External Entity (XXE) attacks in Node.js apps, and the exact parser settings that shut it down for good.

Oct 22, 20257 min read
Industry Analysis

XXE Prevention in C++: Removing libxml2 XML_PARSE_NOENT

How the libxml2 XML_PARSE_NOENT flag enables XXE in C++ codebases, the real CVEs behind it, and the exact code changes needed to remove it safely.

Oct 22, 20257 min read
Industry Analysis

XXE Prevention in Python with resolve_entities=False

Why lxml's XMLParser resolves external entities by default, how resolve_entities=False actually stops XXE, and where Python teams still leave file-read and SSRF paths open.

Oct 22, 20257 min read
Industry Analysis

XXE Prevention in Java: Hardening DocumentBuilderFactory

Java's DocumentBuilderFactory parses XML with external entities on by default, turning XML uploads into file-read and SSRF vectors. Here is how to lock it down.

Oct 22, 20258 min read
Industry Analysis

XXE Prevention in C# by Disabling XmlResolver/DTD Processing

XXE in C# lives at the XmlResolver and DtdProcessing settings. Here's how .NET's defaults evolved since 2014 and exactly how to lock down XmlDocument, XmlTextReader, and XmlReaderSettings.

Oct 21, 20257 min read
Industry Analysis

XXE Prevention in Go with decoder.DisallowDTD

Go's standard XML parser resists classic XXE by design, but cgo bindings and SAML libraries can reopen it. Here's how the DisallowDTD pattern closes the gap.

Oct 21, 20257 min read
Industry Analysis

XXE Prevention in PHP with libxml_disable_entity_loader

libxml_disable_entity_loader() looked like the fix for XXE in PHP, but PHP 8.0 deprecated it. Here's what it did, why it broke, and what to use now.

Oct 21, 20256 min read
xxe-prevention — Safeguard Blog