Play Framework Security Advisory

XML External Entities


11 Sep 2013


A vulnerability has been found in Play’s XML processing.

An attacker may use XML external entities to read files from the file system, internal network, or DoS the application.


Any application that uses either the default any content parsers, or specifically the XML parser, may be vulnerable.

Affected Versions


Change the default SAXParserFactory implementation used by the JDK to be one that disables external entities.

For example, if using the Oracle JDK, add the following class to your application:

package xml;

import org.xml.sax.*;
import javax.xml.parsers.*;

public class SecureSAXParserFactory extends SAXParserFactory {
    private final SAXParserFactory platformDefault = new;

    public SecureSAXParserFactory() throws SAXNotSupportedException, SAXNotRecognizedException, ParserConfigurationException {
        platformDefault.setFeature("", false);
        platformDefault.setFeature("", true);

    public SAXParser newSAXParser() throws ParserConfigurationException, SAXException {
        return platformDefault.newSAXParser();

    public void setFeature(String name, boolean value) throws ParserConfigurationException, SAXNotRecognizedException, SAXNotSupportedException {
        platformDefault.setFeature(name, value);

    public boolean getFeature(String name) throws ParserConfigurationException, SAXNotRecognizedException, SAXNotSupportedException {
        return platformDefault.getFeature(name);

And then when starting the application in production mode, add the following system property to the command line arguments:



Upgrade to the appropriate version below:

CVSS metrics (more info)


Credit for finding this vulnerability goes to the Australia Post Digital Mailbox Security Team.