[SAXParseException: DOCTYPE is disallowed when the feature "http://apache.org/xml/features/disallow-doctype-decl" set to true.]

7,078 views
Skip to first unread message

Ergo Mesh

unread,
Dec 1, 2014, 5:23:28 PM12/1/14
to play-fr...@googlegroups.com
im trying to consume a xml file but geting this error. Is there a simple way to enable this feature of the parser for play2? Im using the latest Play 2.3.6 or should i just strip out the DTD there doesn't appear to be a way to consume xml files with doctypes 

http://stackoverflow.com/questions/11315439/ignore-dtd-specification-in-scala and many others have alternative methods but how can we do it with the WS.Url.get.xml as laid out here


val futureResult: Future[scala.xml.NodeSeq] = WS.url(url).get().map {
  response =>
    response.xml \ "message"
}

xml response

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE xSearchResult PUBLIC "-//NLM//DTD xsearch 20060628//EN" "http://xxsearchd.dtd">
<xSearchResult><Count>1</Count><RetMax>1</RetMax><RetStart>0</RetStart><IdList>
<Id>24575859</Id>
...
</xSearchResult>





James Roper

unread,
Dec 2, 2014, 12:09:41 AM12/2/14
to play-framework
We disabled DTDs in Play's default XML parser because enabling them introduces a security vulnerability called the quadratic blowup attack, where just by submitting one request to your system, an attacker can crash your server.  The only way, using Java's XML processing APIs (which is what Play uses) to protect against this type of vulnerability is to disable DTDs altogether.

If you control the system that is sending you the XML payloads, then I would strongly suggest that you get that system to remove the DTD.  Otherwise, you can simply use the built in XML parser in Scala as illustrated in the following code snippet, but know that if the system that is sending you the XML is not trusted, that system could trivially crash your server (or worse, including accessing files on your server).

val futureResult: Future[NodeSeq] = WS.url(url).get().map { response =>
  scala.xml.XML.loadString(response.body) \ "message"
}

--
You received this message because you are subscribed to the Google Groups "play-framework" group.
To unsubscribe from this group and stop receiving emails from it, send an email to play-framewor...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



--
James Roper
Software Engineer

Typesafe – Build reactive apps!
Twitter: @jroper

Ergo Mesh

unread,
Dec 4, 2014, 12:51:14 PM12/4/14
to play-fr...@googlegroups.com
Great thanks i did it with a limit drop on that line of DTD, but yours works nicer thanks for the right way!
Reply all
Reply to author
Forward
0 new messages