In spite of JSON’s reign as the king of API data format, XML still remains the exchange data format of choice for a number of systems. Any service exposing functionality through SOAP, and many application built years ago (or even nowadays) still depend on XML to share data – to such an extent that in April 2013 the W3C published a new spec for version 3.0 of the XPath, XSLT and XQuery standards. We decided it was time to update the platform’s support for these standards and fix a couple of things while at it.
Trust no one! Most security issues comes from assuming that no bad person is going to tamper with your input data. We usually pay more attention to it when processing the most common inputs, such as an HTTP request or some argument that’s going into an SQL query. But we usually don’t pay much attention to other types of resources that are also vulnerable to malicious thinking – such as an XML file.
External Entities are an XML feature which allow you to embedded an external source into your document. For example, let’s suppose that your application responds to queries using an XML schema, which contains a disclaimer footer. Your legal department is prone to changing the wording on it so it probably makes sense to take it from an external file, so that your templates (which are part of your deployed source code) are not modified. Such templates could look like this:
Hello friends! How’s it going?
Has the following ever happened to you? You show up to work one morning and your boss tells you, “I need you to take this data and turn it into XML.” Well, this has happened to me, and in this blog post I’m going to show you how to do this quickly.
The other day I helped a customer figure out a little XPath problem: they had an XML document and wanted to process it depending on an XPath expression. Here’s the Mule config that shows what we were trying to achieve:
It is pretty common that Mule messages contain XML as a payload and that those messages need to be validated/transformed. XML documents can be automatically validated using XSD, though those validations are structural and sometimes we need to manually code some validation in plain Java (especially in complex scenarios like validating references, existence conditions and value dependencies).
Configuring Mule involves XML, and though using a decent XML editor can help a lot (thanks to the contextual help it provides from Mule’s schemas), there is still a enough angle brackets to warrant a coffee break as projects get more complicated.
As the number of services in a Mule project increases, so does the amount of noise in its configuration files, making it harder to understand and maintain them. We recommend splitting service configuration files, but in Mule 3 we’ve decided to go further and tackle this problem with the introduction of pattern-based configuration.
When I recently switched to Eclipse Galileo, I noticed that a Mule configuration file that had previously validated correctly now had validation errors. Since I did not change the file, something in Galileo’s validation of XML files must have changed.
The symptoms are these: