Require XMLdoc2 entity validation with allowlist

Release version: Australia

Updated March 13, 2026

2 minutes to read

Summarize

Summarized using AI

Summary of Require XMLdoc2 entity validation with allowlist

This configuration controls XML external entity expansion within ServiceNow's XMLDocument2 streaming parser to prevent security risks such as XML External Entity (XXE) attacks, which can exponentially consume system resources. Properly managing these settings helps safeguard your instance from resource exhaustion attacks.

Show full answer Show less

Key Features

Disable Entity Expansion: Use glide.xmlutil.maxentityexpansion or glide.stax.allowentityresolution properties to disable external and internal entity expansion completely if your customizations do not require it, ensuring XML parses without entity resolution.
Entity Resolution Control: Setting glide.stax.allowentityresolution to true enables entity expansion, subject to whitelist filtering; setting it to false blocks all entity resolution.
Allowlist Enforcement: The glide.stax.whitelistenabled property (recommended to be true) enables enforcement of a whitelist defined by glide.xml.entity.whitelist, which lists allowed fully qualified domain names (FQDNs) for XML external entity resolution.
Safe Harbor Property: Once enabled, the whitelist enforcement property glide.stax.whitelistenabled cannot be reverted, ensuring consistent security configuration.

Prerequisites and Configuration Steps

Set both glide.xml.entity.whitelist.enabled and glide.stax.whitelistenabled properties to true to activate the allowlist-based entity validation.
Define a comma-delimited list of allowable FQDNs in the glide.xml.entity.whitelist property to restrict entity resolution to trusted sources.
If entity expansion is necessary for your customizations, enable glide.stax.allowentityresolution and properly configure the whitelist to mitigate risks.

Security Impact and Recommendations

Without proper configuration, attackers can exploit XML entity expansion vulnerabilities (XXE attacks) to consume all system resources rapidly, leading to denial of service. Enabling whitelist enforcement and controlling entity resolution settings is critical to defend against these attacks.

ServiceNow recommends enabling glide.stax.whitelistenabled set to true as a remediation measure with a high security risk rating (9.8). Carefully assess your customizations for entity expansion requirements before applying these settings to avoid functional impact, such as blocked processing by the ServiceNow AI Platform.

Additional Guidance

Refer to the documentation on Restrict XML external entities to understand how to configure the allowlist correctly.
Consult the section on Disable Entity Expansion within the XMLDocument2 Streaming Parser for further technical details.
Follow best practices from OWASP resources to strengthen your instance's XML security posture.
Use the ServiceNow interface to add or modify system properties as needed.

If customizations do not require entity expansion, use the glide.xmlutil.max_entity_expansion property to completely disable external entity expansion. The XML completes parsing but doesn't include any internal or external entities.

If the glide property glide.stax.whitelist_enabled doesn't exist in the System Properties [sys_properties] table, or is not set to the recommended value of true, then all external entities are allowed when the glide property glide.stax.allow_entity_resolution is set to the value of true.

If customizations don't require entity expansion, use the glide.stax.allow_entity_resolution property to completely disable external entity expansion. The XML completes parsing but doesn't include any internal or external entities.

If you set glide.stax.allow_entity_resolution to true, all external entities attempt to resolve or expand subject entities, subject to the setting of the glide.stax.whitelist_enabled property.
If you set glide.stax.allow_entity_resolution to false, all entity resolution and expansion is blocked. To learn more about this property, see Disable Entity Expansion within the XMLDocument2 Streaming Parser.

When glide.stax.whitelist_enabled is set to true, define a listing of comma-delimited FQDN in the glide.xml.entity.whitelist property, which are the only URLs that can be reached using the XML entity processing property. To learn more, see Restrict XML external entities. Attackers can use this vulnerability to expand data exponentially in an External Entities Expansion (XXE) attack, quickly consuming all system resources.

Prerequisites

Before setting this property:

Set the glide.xml.entity.whitelist.enabled and glide.stax.whitelist_enabled properties to true. To learn more, see Restrict XML external entities.
Define a listing of comma-delimited FQDN in the glide.xml.entity.whitelist property, which is the only URLs that can be reached using XML Entity processing property. To learn more, see Restrict XML external entities.

Warning:

This is a safe harbor property, meaning the value can't be altered once it's changed. It is non-revertible.

More information


Attribute	Description
Property name	glide.stax.whitelist_enabled
Configuration type	System Properties (/sys_properties_list.do)
Category	Validation, sanitization, and encoding
Purpose	This remediation control must be enabled to defend against an XML Entity Expansion/Billion Laugh attack.
Recommended value	true
Default value	true
Security risk rating	9.8
Functional impact	If the customization is using entity expansion, then, the ServiceNow AI Platform might block further processing.
Security risk	An attacker can use this vulnerability to expand data exponentially in an External Entities Expansion (XXE) attack, quickly consuming all system resources.
Workaround	If the customization requires entity expansion, set this property to true and follow the steps documented in Restrict XML external entities.

To learn more about adding or creating a system property, see Add a system property.

For more information about OWASp resources, see OWASp.