Restrict XML external entities
Configure system properties to ensure that your instance only processes XML from trusted sources to help prevent XML external entity (XXE) attacks.
Use the glide.xml.entity.whitelist and glide.xml.entity.whitelist system properties to prevent your instance from processing XML from untrusted sources.
XML external entity (XXE) attacks occur when a malicious actor modifies incoming XML (such as adding HTTP requests) to access data or intact with otherwise restricted systems. To help prevent these attacks, the glide.xml.entity.whitelist.enabled system property limits the sources from which your instance executes XML. Use the glide.xml.entity.whitelist property to define a set of trusted sources.
Ensure that the glide.xml.entity.whitelist system property exists in the System Properties [sys_properties] table, and is set to http://java.sun.com/j2ee/dtds/. Ensure that the glide.xml.entity.whitelist.enabled system property exists in the System Properties [sys_properties] table and is set to the value true.
Values other than http://java.sun.com/j2ee/dtds/ can be included in the glide.xml.entity.whitelist property, but are unnecessary for the out of the box platform state. Review any additional values to determine if they are safe.
More information
| Attribute | Description |
|---|---|
| Configuration name |
|
| Configuration type | System Properties (/sys_properties_list.do) |
| Data type |
|
| Recommended value |
|
| Default value |
|
| Fallback value |
|
| Category | Validation, sanitization, and encoding |
| Security risk |
|
| Functional impact | If the customization is using external entity, not inclusion listed in the glide.xml.entity.whitelist property, the NOW Platform might block further processing. |
| Dependencies and prerequisites | None |