Hi, Now that Sun has fixed this in JDK6u4, I thought this might be of interest to people: http://scarybeastsecurity.blogspot.com/ Essentially, one common XXE protection method was broken in the default XML parser, in JDK6. In particular, I'm worried about web services (and other server-side XML accepting technologies) deployed under JDK6. I haven't had time to look into common web service frameworks and see how they implement XXE protection. Might be interesting to look into specific technologies that broke. Cheers Chris
