Hi,
I was reading the following topic :
https://lucee.daemonite.io/t/configuration-to-prevent-xxe/11029
and to protect your app against XXE attacks (XML external entity injection), you need to insert the following code in the application.cfc file
this.xmlFeatures = {
externalGeneralEntities: false,
secure: true,
disallowDoctypeDecl: true
};
I was wondering if there is another way to configure these features? Can we do it globally for a Lucee server by editing a configuration file or in the properties of Lucee - Java - Java Options?
I understand it’s best to do this in the application.cfc file in case the app changes servers, but I’d like to do it globally too, in case a developer on the team forgets to do it in the application.cfc file for a particular website.
Finally, have you considered these settings to be the default for the next major version of Lucee?
Thank you!
OS: Windows Server 2016 (10.0) 64bit
Java Version: 1.8.0_181 (Oracle Corporation) 64bit
Tomcat Version: Apache Tomcat/8.5.33
Lucee Version: Lucee 5.3.8.206