What is XML External Entity (XXE) injection and how do you prevent it?

XML supports a feature called external entities: a DOCTYPE declaration can define a named entity that, when referenced in the document body, is replaced with the contents of a file or URL. For example, an attacker uploads XML containing <!DOCTYPE x [<!ENTITY e SYSTEM "file:///etc/passwd">]> and then references &e; in the document body. The parser dutifully reads /etc/passwd and inserts its contents into the document — which the app then returns or processes.

The impacts are: local file read (server files, secrets), SSRF (Server-Side Request Forgery — the parser fetches internal URLs like http://169.254.169.254/), and DoS via entity-expansion bombs ('billion laughs' — a small document that expands to gigabytes).

Prevention: disable DTD processing and external entity resolution entirely in your XML parser configuration (this is the secure default in most modern libraries when configured correctly — e.g. set FEATURE_SECURE_PROCESSING in Java, or use resolve_entities=False, no_network=True, load_dtd=False in lxml). When you don't actually need XML, prefer JSON. Do not rely on input filtering to catch malicious <!DOCTYPE> declarations.