Understanding anti-XXE

Hi Everyone,
I have updated lucee on my local WINDOWS dev machine to

When I started the application it errored on reading the Mach-II / ColdSpring XML files.
I commneted out the DOCTYPE declaration and the application then started “normally”.

My question is…
Although getting rid of the error…
Does removing the DOCTYPE, actually prevent an XXE attack?
I am not sure that it does.
(thus I am asking for some help in understanding this)

Additionally, (again my understanding is…) that you ue the DOCTYPE to include the DTD.
How do you ensure appropriate validation of the XML against the DTD - if you’re no longer able to use the DOCTYPE declaration?

As always - thanks for any help!


I believe the guidance to fully disable DOCTYPE declarations is meant to protect against other XML-based attacks, such as the “Billion Laughs Attack” as well - Billion laughs attack - Wikipedia.

I have seen recommendations to validate that the content is valid XML and then validate each field individually, in place of using DTD, although I’m not sure how practical that would be in all situations. If the XML and DTD content is coming from an a fully-trusted source that an external user cannot control, and the functionality is needed, that may be a scenario to consider easing back on the XXE controls.


1 Like

Thanks Brian.

I am happy to simply remove the DOCTYPE declaration from the XML.
Just wanted confirmation that it was an actual remediation step for the vulnerability - as opposed to just making a compiler happy / making a vulnerability scanner happy - but still leaving your application vulnerable.