On 11/12/2023 14:53, Christopher Schultz wrote:
Or are there maybe cases where these protections should NEVER be
reduced? I'm think about the WebDAV servlet as a good example: there is
never a good reason to allow remote-client-provided XML to be parsed in
a potentially dangerous way. Maybe
All,
Tomcat parses XML documents in a handful of places for example:
1. Main config files (server.xml, web.xml, context.xml)
2. JSPs
3. JSP tag-library descriptors (TLDs)
4. WebDAV requests
5. Directory-index XSL transforms
In most of these cases, the XML parser is put into a "safe"
config
