From a2ef18de5e3444f79db28c80f0cb483f558b1c18 Mon Sep 17 00:00:00 2001
From: Sander Hautvast <shautvast@gmail.com>
Date: Mon, 5 Feb 2024 13:46:54 +0100
Subject: [PATCH] Update sectraining.md

---
 sectraining.md | 35 +++++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)

diff --git a/sectraining.md b/sectraining.md
index af9eeef..f7abc69 100644
--- a/sectraining.md
+++ b/sectraining.md
@@ -234,3 +234,38 @@ or
 ```
 
 _Just who invented these unnecessary attack vectors_ Or was this deemed useful at the time? I certainly never used it, or thought this would come in handy...
+
+#### Prevention
+
+```java
+DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+String FEATURE = null;
+try {
+    FEATURE = "http://apache.org/xml/features/disallow-doctype-decl";
+    dbf.setFeature(FEATURE, true);
+
+    FEATURE = "http://xml.org/sax/features/external-general-entities";
+    dbf.setFeature(FEATURE, false);
+
+    FEATURE = "http://xml.org/sax/features/external-parameter-entities";
+    dbf.setFeature(FEATURE, false);
+
+    FEATURE = "http://apache.org/xml/features/nonvalidating/load-external-dtd";
+    dbf.setFeature(FEATURE, false);
+
+    dbf.setXIncludeAware(false);
+    dbf.setExpandEntityReferences(false);
+   
+} catch (ParserConfigurationException e) {
+    logger.info("ParserConfigurationException was thrown. The feature '" + FEATURE 
+    + "' is probably not supported by your XML processor.");
+} catch (SAXException e) {
+    logger.warning("A DOCTYPE was passed into the XML document");
+} catch (IOException e) {
+    logger.error("IOException occurred, XXE may still possible: " + e.getMessage());
+}
+
+// Load XML file or stream using a XXE agnostic configured parser
+DocumentBuilder safebuilder = dbf.newDocumentBuilder();
+```
+