--- title: XML parsing vulnerable to XXE for XML Reader description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Static Code Analysis (SAST) > SAST Rules > XML parsing vulnerable to XXE for XML Reader --- # XML parsing vulnerable to XXE for XML Reader {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site). (). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **ID:** `java-security/xml-parsing-xxe-xmlreader` **Language:** Java **Severity:** Warning **Category:** Security **CWE**: [611](https://cwe.mitre.org/data/definitions/611.html) ## Description{% #description %} Your code may be vulnerable XML if you process XML from an untrusted source. Make sure to enable secure processing when you process XML data by setting `XMLConstants.FEATURE_SECURE_PROCESSING` to true. #### Learn More{% #learn-more %} - [XML parsing vulnerable to XXE (XML Reader)](https://find-sec-bugs.github.io/bugs.htm#XXE_XMLREADER) - [CWE-611: Improper Restriction of XML External Entity Reference](https://cwe.mitre.org/data/definitions/611.html) ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```java class MyClass { public void test() { XMLReader reader = XMLReaderFactory.createXMLReader(); reader.setContentHandler(customHandler); reader.parse(new InputSource(inputStream)); } } ``` ## Compliant Code Examples{% #compliant-code-examples %} ```java class MyClass { public void test() { XMLReader reader = XMLReaderFactory.createXMLReader(); reader.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); reader.setContentHandler(customHandler); reader.parse(new InputSource(inputStream)); } } ``` Seamless integrations. Try Datadog Code SecurityDatadog Code Security {% icon name="icon-external-link" /%}