Oxygen XML Editor, Author and Developer Desktop - Security and Data Integrity
This article explains the main security and data integrity features in Oxygen XML Desktop applications and highlights the settings and best practices that reduce risk when you work with content, add-ons, projects, and remote resources.
Users sometimes ask how secure the Oxygen XML Editor, Author, and Developer desktop applications are. This article explains the main security and data integrity aspects and points out the settings and practices that help reduce risk.
Oxygen includes several layers of protection. Combined with careful user decisions, these protections help you keep editing sessions safe and productive.
Certifications
Our company (Syncro Soft SRL) is ISO 27001:2022 certified. This certification covers our information security management (ISMS), not the Oxygen desktop applications themselves.
We do not perform SOC 2-style penetration testing for Oxygen desktop applications because SOC 2 is designed for service organizations and hosted platforms, not for locally installed desktop software . Oxygen desktop runs on each user's machine, and users control both the edited content and the external resources that the application can access.
Third-Party Libraries
Like most desktop applications, Oxygen includes a mix of open-source and commercial libraries. You can review them in the dialog. Over time, Common Vulnerabilities and Exposures (CVEs) may be reported for libraries used by the application or by plugins built for it. We monitor these reports and decide how to respond based on their impact on the product:
- We may release updated application or plugin versions as soon as possible when the risk is severe and exploitable.
- We may determine that a reported CVE does not affect Oxygen because the vulnerable library code is not used or reachable in the product. In that case, we publish security advisories and may update the libraries in a later release.
Privacy
By default, the application checks the Oxygen website to retrieve information about events such as new releases, conferences, and webinars. These checks do not transmit personal data or edited content. You can disable these notification checks if needed.
By default, Oxygen also lets you install add-ons from the default update site. The same privacy settings can also control this behavior.
Add-ons - Plugins
You can install plugins in Oxygen by using the add-on installation support. During installation, Oxygen shows the add-on EULA and whether the add-on is signed. Oxygen provides many official add-ons that you can install. Do not install third-party add-ons from unverified or untrusted sources. Installed plugins run inside Oxygen process and inherit its access rights, so they can modify files on your computer or run other processes.
If an installed plugin makes Oxygen unresponsive in some situations, uninstall it from the Oxygen page and contact the plugin vendor.
Plugins may also add side views that let you open and save documents from external locations. Do not use these capabilities if you do not trust the plugin or the external storage system.
Add-ons - Frameworks
You can install frameworks in Oxygen by using the add-on installation support. Frameworks add editing support for specific XML vocabularies. During installation, Oxygen shows the add-on EULA and whether the add-on is signed. Do not install third-party frameworks from unverified or untrusted sources. Java extensions included in frameworks run with the same user permissions as Oxygen itself, so they can modify files on your computer or run other processes.
If an installed framework makes Oxygen unresponsive in some situations, uninstall it from the Oxygen page and contact the framework vendor.
Connections to Remote Servers
Whenever Oxygen tries to open an HTTP or HTTPS connection to a remote server, it shows a dialog that asks whether the connection should be allowed. You can manage trusted hosts in the Trusted Hosts Preferences page. Connections to remote resources may retrieve unapproved content or send content to a server, so reject connections to sites that you do not trust.
Project Level Settings
Most Oxygen preference pages can be saved at project level and shared with a team. When you open an Oxygen project XPR file that contains custom settings, Oxygen notifies you about them. Do not approve and apply custom settings from an XPR file that comes from an untrusted source.
Untrusted Content
You may receive XML documents and related files, such as XSLT stylesheets, from other people. In general, do not open documents from untrusted sources. Oxygen includes built-in protections against many well-known XML processing vulnerabilities. If Oxygen asks for permission to connect to an external website while you process or edit untrusted content, allow the connection only if you trust the site.
Crashes - Data Integrity
Oxygen tries to protect the content that you are editing, including unsaved changes, in the event of an application crash. In the Oxygen page, settings such as Safe save and Save auto-recover information are enabled by default.
If the application crashes while you edit a document and then restarts, it should let you recover the edited content.
Out of Memory
Oxygen is started with a maximum amount of memory allocated to the application. You can see the current maximum in the dialog. You can also increase the maximum amount of memory allocated to Oxygen.
The application includes several features that help avoid out-of-memory situations:
- Optimizations and restrictions when loading very large files.
- Lazy loading of files reopened with a project in the Project view. Oxygen loads only the currently selected files first and loads other files when you select their tabs.
- Starting with Oxygen 29, when available memory becomes critically low, the application shows a warning and unloads the content of opened documents while keeping their tabs. The documents are automatically re-loaded again when you select their tabs.
Getting Help
If you use an active Oxygen desktop license for a version that is not in the end-of-life stage, you can contact us through several support channels for advice or help related to unstable or unsafe application behavior. You can also use the Oxygen dialog to report problems, including potential security issues.
