Entity resolution happens in the XML parser, not in Saxon itself. You can use the -x option to set the parser that will be used for processing source documents, and this can be a custom XMLReader implementation that invokes a standard parser with your own configuration settings.

Frankly, the scenario of processing untrusted source documents from the command line seems a little implausible. This seems to be something that you're much likely to do in a web application, and in a web application you should be using the Java API (e.g. the s9api or JAXP API) rather than the command line. When you use the API, you can instantiate an XMLReader yourself, set its configuration options, and then supply this to Saxon as the transformation source (e.g. in a SAXSource object). 

Michael Kay

On 13 Apr 2014, at 21:15, Ruvim Pinka <ruvim.pinka@gmail.com> wrote:


How to disable external entity resolving in Saxon XSLT from command line?

In other words, how to avoid the XXE vulnerability when XML document is coming from an untrusted source?

For example, xsltproc and msxsl have certain options to don't resolve external definitions.

Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment
Start a new project now. Try Jenkins in the cloud.
saxon-help mailing list archived at http://saxon.markmail.org/