Now that Sun has fixed this in JDK6u4, I thought this might be of
interest to people:
Essentially, one common XXE protection method was broken in the
default XML parser, in JDK6.
In particular, I'm worried about web services (and other server-side
XML accepting technologies) deployed under JDK6. I haven't had time to
look into common web service frameworks and see how they implement XXE
protection. Might be interesting to look into specific technologies