I'm trying to implement passport-saml MultiSamlStrategy on an Express.js, and so far everything is working. As far as I know, passport already validates SAML Response signature, issuer, destination etc. So, it must have an XML Parser. I'm trying to secure my application in order to prevent XXE attacks, so I must guarantee that DTD (Document Type Definition) is disabled on my XML Parser. How to achieve that using passport-saml?
I'm using these middlewares:
app.use(express.urlencoded({ extended: false, limit: "15mb" }));
app.use(express.json({ limit: "15mb" }));
not sure if DTD has to do with the middleware or with passport itself.