[jira] [Created] (BATIK-1113) Hard to solve XML External Entities problem

["Tony BenBrahim (JIRA)" <ji...@apache.org>]

Tony BenBrahim created BATIK-1113:
-------------------------------------

             Summary: Hard to solve XML External Entities problem
                 Key: BATIK-1113
                 URL: https://issues.apache.org/jira/browse/BATIK-1113
             Project: Batik
          Issue Type: Bug
          Components: SVG DOM
    Affects Versions: 1.8
            Reporter: Tony BenBrahim


Even if one agrees with the sentiments expressed in the comments of BATIK-1018, it should be possible to turn off XML external entity processing without subclassing Batik classes.

Take for example {{SAXSVGDocumentFactory}}, which extends {{SAXDocumentFactory}}. When it comes time to parse the SVG in {{Document createDocument(InputSource is)}}, line 401 of {{SAXDocumentFacotry}}, the code uses either a String classname to instantiate the parser, or an internal static factory with package visibility.
Therefore, the only way to create a parser is to subclass {{SAXDocumentFactory}}, override {{createDocument}}, and create your own parser, so that it can be configured to not process XEE.

Any class that parses XML should either:
- provide a public accessor method to access the default parser factory
- allow passing in a parser factory
- allow passing in a parser factory class name (less than ideal, requires user to write their own parser factory)
- allow passing in a parser instance

In the case of {{SAXDocumentFactory}}, a simple {{public static SAXParserFactory getDefaultParserFactory()}} would have obviated the need to subclass.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: batik-dev-unsubscribe@xmlgraphics.apache.org
For additional commands, e-mail: batik-dev-help@xmlgraphics.apache.org