Restrict XML external entities [Updated in Security Center 1.3 and 2.0]

  • Rversion finale: Australia
  • Mis à jour 12 mars 2026
  • 1 minute de lecture

    • Configure system properties to ensure that your instance only processes XML from trusted sources to help prevent XML external entity (XXE) attacks.

    Use the glide.xml.entity.whitelist and glide.xml.entity.whitelist system properties to prevent your instance from processing XML from untrusted sources.

    XML external entity (XXE) attacks occur when a malicious actor modifies incoming XML (such as adding HTTP requests) to access data or intact with otherwise restricted systems. To help prevent these attacks, the glide.xml.entity.whitelist.enabled system property limits the sources from which your instance executes XML. Use the glide.xml.entity.whitelist property to define a set of trusted sources.

    Ensure that the glide.xml.entity.whitelist system property exists in the System Properties [sys_properties] table, and is set to http://java.sun.com/j2ee/dtds/. Ensure that the glide.xml.entity.whitelist.enabled system property exists in the System Properties [sys_properties] table and is set to the value true.

    Conseil :

    Values other than http://java.sun.com/j2ee/dtds/ can be included in the glide.xml.entity.whitelist property, but are unnecessary for the out of the box platform state. Review any additional values to determine if they are safe.

    Avertissement :
    This is a safe harbor property, meaning the value can't be altered once it's changed. It is non-revertible.

    More information

    Attribute Description
    Configuration name
    • glide.xml.entity.whitelist
    • glide.xml.entity.whitelist.enabled
    Configuration type System Properties (/sys_properties_list.do)
    Data type
    • String
    • Boolean
    String
    Recommended value
    • http://java.sun.com/j2ee/dtds/
    • true
    Default value
    • http://java.sun.com/j2ee/dtds/
    • true
    Fallback value
    • http://java.sun.com/j2ee/dtds/
    • true
    Category Validation, sanitization, and encoding
    Security risk
    • Severity score: 9.8
    • CVSS score: Critical
    • Security risk details: An XML Eternal Entity (XEE) attack can allow attackers to access data or perform unauthorized actions via crafted XML payloads.
    Functional impact If the customization is using external entity, not inclusion listed in the glide.xml.entity.whitelist property, the NOW Platform might block further processing.
    Dependencies and prerequisites None