SAMLUtils Should Restrict Itself to Not Allow External Entities or Inline Doctypes

Description

SAMLUtils XML parser should restrict its features to remove the following:

builder.setFeature("http://xml.org/sax/features/external-general-entities", false);
builder.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);

Environment

None

Status

Assignee

Misagh Moayyed

Reporter

ScottS

Labels

None

Estimated End Date

None

Audience

None

Components

Fix versions

Affects versions

3.5.2

Priority

Critical