@federicocarboni/saxe
    Preparing search index...

    Interface SaxOptions

    interface SaxOptions {
        dtd?: "prohibit" | "ignore" | "process";
        entityProvider?: EntityProvider;
        incrementalText?: boolean;
        maxAttributesLength?: number;
        maxElementDepth?: number;
        maxEntityDepth?: number;
        maxEntityLength?: number;
        maxNameLength?: number;
        maxTextLength?: number;
    }

    Hierarchy (View Summary)

    Index

    Properties

    dtd? entityProvider? incrementalText? maxAttributesLength? maxElementDepth? maxEntityDepth? maxEntityLength? maxNameLength? maxTextLength?

    Properties

    dtd?: "prohibit" | "ignore" | "process"

    Control how document type declarations are handled.

    Most XML attacks are based on entity expansion, which depends on DTD processing.

    SaxParser and SaxNamespaceParser are non-validating parsers and do not support external entities. Regardless of configuration, external entities are never resolved or fetched, so they do not risk XXE attacks.

    Internal DTD processing, however, is required for all XML parsers and is therefore implemented to the specification. To prevent XML DoS attacks support for this feature must be enabled explicitly as needed.

    "prohibit"

    Completely disables DTDs. DOCTYPE declarations, even empty ones throw ProhibitedDoctypeDecl, guaranteeing both security and data integrity. This is the default and safest option, following OWASP recommendations.

    "ignore"

    Disables processing of DTDs. DOCTYPE declarations are tolerated and checked for syntax errors but markup declarations do not affect parsing of the document content.

    "process"

    Enables processing of DTDs. Internal markup declarations are parsed and processed. Attribute list declarations apply normalization and default values, and entity declarations are recognized.

    The parser cannot access external markup declarations, so they never affect processing of the document. Only the internal DTD subset is ever processed.

    Enabling DTD processing may be preferred where strict alignment with DOM web standards is necessary. DoS attacks are always mitigated by the security limits imposed, which users are encouraged to tighten further.

    "prohibit"
    entityProvider?: EntityProvider

    An entity provider to use when the value for an entity was not read.

    Entity values returned by the entity provider are not affected by the dtd option. This option is only recommended for limited, trusted sets of entities.

    incrementalText?: boolean

    Emit SaxHandler.text as soon as data becomes available.

    By default, the parser collects text content as it were forming a DOM Text Node (or CDATA Section Node), even when text spans multiple chunks. This makes the parser more predictable but delays output until the ending chunk is reached.

    Enabling this option prevents any buffering and causes the parser to emit SaxHandler.text as soon as data becomes available.

    false
    maxAttributesLength?: number

    Maximum size allowed for the attributes in a single tag. Counts the total combined length of names and values of attributes.

    10_000_000
    maxElementDepth?: number

    Maximum nesting depth allowed for elements.

    200
    maxEntityDepth?: number

    Maximum nesting depth allowed for entities.

    10
    maxEntityLength?: number

    Maximum size allowed for an entity value, including nested entities.

    1_000_000
    maxNameLength?: number

    Maximum size allowed for a markup identifier. Applies to tag names, public and system identifiers.

    In SaxNamespaceParser, it also applies to namespace URIs.

    2_000
    maxTextLength?: number

    Maximum size allowed for a text node.

    Also applies to comments, processing instructions and DTD declarations.

    10_000_000

    Settings

    Member Visibility

    On This Page

    Properties