Created attachment 38102 [details] source code At the line 88, XML parser configured 'tf' does not prevent nor limit external entities resolution. This can expose the parser to an XML External Entities attack.Using XML parsers configured to not prevent nor limit external entities resolution can expose the parser to an XML External Entities attack. For example as below: tf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); i think taglibs can add the above content first and parse the xml on next step, it will be better. Thanks
1. Security reports should not be posted to public bug trackers or mailing lists. The correct way to report security issues is described here: http://tomcat.apache.org/security.html 2. The parser is not exposed to untrusted user input. It is not exploitable.