You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@commons.apache.org by "Rob Tompkins (JIRA)" <ji...@apache.org> on 2017/08/24 10:54:02 UTC

[jira] [Created] (JELLY-293) Accommodate toggling off DTD external entities.

Rob Tompkins created JELLY-293:
----------------------------------

             Summary: Accommodate toggling off DTD external entities.
                 Key: JELLY-293
                 URL: https://issues.apache.org/jira/browse/JELLY-293
             Project: Commons Jelly
          Issue Type: Bug
          Components: core / taglib.core
    Affects Versions: 1.0
            Reporter: Rob Tompkins
             Fix For: 1.0.1


We want the ability to configure whether or not jelly files can be declared such that the doctype definition at the beginning of the XML can call out to external entities under the parsing by SAX in the xerces project.

The suggested fix is to add

{code:java}
if (!allowDtdToCallExternalEntities) {
    reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
    reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
     reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
}
{code}
immediately following this line: https://github.com/apache/commons-jelly/blob/commons-jelly-1.0/src/java/org/apache/commons/jelly/parser/XMLParser.java#L496



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)