3.12.0 Upgrade Guide

Preventing XML External Entity Vulnerabilities

In 3.12.0, we address a potential security risk regarding XML External Entity Processing. See this OWASP article for more details about the vulnerability.

In order to mitigate risk, we now disallow DOCTYPE declarations in all areas the Mirth Connect that parse XML.

How this can affect you

If any of your channels or code templates are constructing XML messages that contain DOCTYPE declarations, there will now be an error when that XML is parsed by Connect.

Similarly, if any of your channels receives XML messages that contain DOCTYPE declarations, those messages will error upon parsing.

PDF Generation Updates

In 3.12.0 Connect no longer uses iText for generating PDFs and is now using openhtmltopdf. Also, the PDFBox library has been updated from version 1.8.4 to 2.0.24.

Using PDFBox Classes

Since the PDFBox library has been updated from 1.x to 2.x, if you are using any classes from PDFBox directly, you may need to change how you have implemented your PDF solutions around this library as it is possible this major update could contain breaking changes.

PDF Generation and Images

Previously, while local paths to images may have worked without being proper URIs, it was never intended functionality, and with the change of PDF generation libraries in 3.12.0, you must now use a proper file URI when adding images to your PDF.

For example, this will not work:

<img src="/data/images/image1.png"></img>

But this does work:

<img src="file:///data/images/image1.png"></img>