# 400 错误请求：XML 解析错误 - 实体扩展超出限制

- **ID:** `api/xml-parse-error-entity-expansion`
- **领域:** api
- **类别:** data_error
- **验证级别:** ai_generated
- **修复率:** 85%

## 根因

XML 请求体包含深度嵌套或大量实体引用，超过了解析器的实体扩展限制（例如，十亿笑攻击保护）。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| Java Xerces 2.12+ | active | — | — |
| Python defusedxml 0.7+ | active | — | — |
| libxml2 2.9+ | active | — | — |
| Spring Boot 3.x | active | — | — |

## 解决方案

1. ```
   Validate and sanitize XML input before parsing. Example using Python defusedxml:
from defusedxml import ElementTree
import io
# This parser will raise an exception on entity expansion attacks
try:
    tree = ElementTree.parse(io.StringIO(xml_string))
except EntitiesForbidden:
    print('Entity expansion attack detected')
   ```
2. ```
   Use a JSON or other non-XML format for the API if XML entity expansion is not required.
   ```
3. ```
   Implement a custom input filter to reject XML with excessive entity declarations before parsing.
   ```

## 无效尝试

- **** — This may make the application vulnerable to denial-of-service attacks; also, the error may still occur if the input is malicious. (60% 失败率)
- **** — Most secure parsers have similar limits; the underlying issue is the input data, not the parser. (50% 失败率)
- **** — This removes security protections and may allow injection attacks, without fixing the entity expansion problem. (80% 失败率)