Disable Entity Expansion within the XMLDocument2 Streaming Parser

Release version: Australia

Updated March 12, 2026

1 minute to read

If customizations do not require entity expansion, use the glide.stax.allow_entity_resolution property to completely disable external entity expansion. The XML completes parsing but doesn't include any internal or external entities.

If the glide.stax.allow_entity_resolution is not set to the recommended value of false, then this property allow XML entities to be expanded during parsing by the streaming parser (XMLDocument2).

Ensure that the property glide.stax.allow_entity_resolution exists in the System Properties [sys_properties] table and is set to false. If the property does not appear in the System Properties [sys_properties] table the default value is true.

Warning:

This is a safe harbor property, meaning the value can't be altered once it's changed. It is non-revertible.

More information


Attribute	Description
Configuration name
Configuration type	System Properties (/sys_properties_list.do)
Data type	Boolean
Recommended value	false
Default value	false
Fallback value	true
Category	Validation, sanitization, and encoding
Security risk	Severity score: 9.0 CVSS rating: Critical Security risk details: XML entity expansion can lead to attacks such as ability to read system files, and Denial of Service.
Functional impact	None
Dependencies and prerequisites	Before setting this property: Set the glide.xml.entity.whitelist.enabled and glide.stax.whitelist_enabled properties to true. To learn more, see Restrict XML external entities and Require XMLdoc2 entity validation with allowlist. Define a listing of comma-delimited FQDN in the glide.xml.entity.whitelist property, which is the only URLs that can be reached using XML Entity processing. property. To learn more, see Restrict XML external entities.