How to Protect Text Input from XML External Entity (XXE) Attacks using JavaScript

Boosting your application’s threat profile is a daunting but necessary task. There are seemingly an insurmountable number of vulnerabilities to patch — and even then, cyber threats tend to evolve like organic viruses, inexorably exploiting new weak points wherever they might appear.

With our XXE Detection API, you can take a step in the right direction and secure your XML parser from malicious input. This API is extremely straightforward & easy to use, identifying whether a given text string contained an XXE attack. You can easily configure subsequent operations to delete or deal with the problematic XML code in whichever way you choose; that’s the beautify of implementing external services with powerful specializations.

Below, we’ll walk through how you can leverage this API using ready-to-run JavaScript examples to structure your API call.

To use the built-in XHR function in JavaScript, you can simply copy & paste the following code block:

var data = JSON.stringify("<string>");var xhr = new XMLHttpRequest();
xhr.withCredentials = true;
xhr.addEventListener("readystatechange", function() {
if(this.readyState === 4) {
console.log(this.responseText);
}
});
xhr.open("POST", "https://api.cloudmersive.com/security/threat-detection/content/xxe/detect/xml/string");
xhr.setRequestHeader("Content-Type", "application/json");
xhr.setRequestHeader("Apikey", "YOUR-API-KEY-HERE");
xhr.send(data);

And to install with jQuery instead, you can first run the below command:

bower install jquery

Then you can call the function:

var settings = {
"url": "https://api.cloudmersive.com/security/threat-detection/content/xxe/detect/xml/string",
"method": "POST",
"timeout": 0,
"headers": {
"Content-Type": "application/json",
"Apikey": "YOUR-API-KEY-HERE"
},
"data": JSON.stringify("<string>"),
};
$.ajax(settings).done(function (response) {
console.log(response);
});

That’s all the code you’ll need. To authenticate access, however, you’ll need to include a Cloudmersive API key where indicated in either snippet. Getting a key is easy & can be done for free by registering a free account on our website (this account will provide a limit of 800 API calls per month with zero commitments — you can upgrade to a business plan for more bandwidth at any time).

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Cloudmersive

There’s an API for that. Cloudmersive is a leader in Highly Scalable Cloud APIs.