Why is this an issue?
Use the glide.xmlutil.max_entity_expansion property to defend against XML Entity Expansion/Billion Laugh attack, who is a denial-of-service (DoS) that targets XML parsers.
The Now Platform doesn't process further entity expansions that are greater than the allowed limit specified in this property.
What is DoS?
A Denial-of-Service (DoS) attack is a cyber-attack meant to tie up a website’s resources so that users who need to access the site cannot do so. DoS attacks accomplish this by flooding the target with traffic, or sending it information that triggers a crash.
How this attack works?
When a DOM or SAX implementing XML parser encounters XML entities while parsing, it tries to expand them. The parser will replace the entity in the document content with the entity definition and continue parsing.
If the entity definition contains references to other entities, these will also have to be expanded. That is the key to the Billion Laughs attack.
Best practices
Since an attacker could use this vulnerability to expand data exponentially, create or set this property to 3000 so Now Platform might block further processing.
Note: 3000 is the default minimum imposed by the Now Platform.