# Avoiding Outdated Components - If a web app is vulnerable to XXE, this is very likely due to an outdated XML library that parses the XML data - For example, PHP's [libxml_disable_entity_loader](https://www.php.net/manual/en/function.libxml-disable-entity-loader.php) function is deprecated since it allows a developer to enable external entities in an unsafe manner, which leads to XXE vulns - Common code editors (e.g., VSCode) will highlight that this specific function is deprecated and will warn us against using it ![[images/Pasted image 20260114202228.png]] - In addition to updating the XML libraries, we should also update any components that parse XML input, such as API libraries like SOAP - Furthermore, any document or file processors that may perform XML parsing, like SVG image processors or PDF document processors, may also be vulnerable to XXE vulnerabilities, and we should update them as well # Using Safe XML Configurations - Other than using the latest XML libraries, certain XML configurations for web applications can help reduce the possibility of XXE exploitation. These include: - Disable referencing custom `Document Type Definitions (DTDs)` - Disable referencing `External XML Entities` - Disable `Parameter Entity` processing - Disable support for `XInclude` - Prevent `Entity Reference Loops` - Put in place proper exception handling in our web apps and  disable displaying runtime errors in web servers - This limits error-based XXE exploitation - Replace XML data other formats, such as JSON or YAML - This also includes avoiding API standards that rely on XML (e.g., SOAP) and using JSON-based APIs instead (e.g., REST) - Use a WAF as another layer of protection against XXE exploitation