Do JAX-RPC and Axis2 have built-in support for XML injection?
If not, how can I add custom code to perform escaping and schema validations on my own?
Edit: I looked at the code generated by JAX-RPC, it looks like the code performs schema validations – so that is one step towards protection from XML injection.
The question that remains is – what about character escaping?
About Axis2 – I think it is done based on annotations on the actual beans that represent the model – so if there are no restriction annotations – it seems like XML injection is possible – but I would prefer an expert’s answer on that as well.
I would be surprised if either of these technologies were vulnerable to XML injection (do you mean XPath injection by the way?). They are build on standard Java APIs like JAXP which have been around for a long time, and escape any dangerous characters
<,&etc automatically.That doesn’t mean you don’t have to be careful you don’t introduce injection vulnerabilities when using these technologies in your own application. For example, it still seems difficult to parameterized XPath queries safely in Java.