You are viewing a plain text version of this content. The canonical link for it is here.
Posted to batik-dev@xmlgraphics.apache.org by "Tony BenBrahim (JIRA)" <ji...@apache.org> on 2015/03/07 08:51:38 UTC
[jira] [Created] (BATIK-1113) Hard to solve XML External Entities
problem
Tony BenBrahim created BATIK-1113:
-------------------------------------
Summary: Hard to solve XML External Entities problem
Key: BATIK-1113
URL: https://issues.apache.org/jira/browse/BATIK-1113
Project: Batik
Issue Type: Bug
Components: SVG DOM
Affects Versions: 1.8
Reporter: Tony BenBrahim
Even if one agrees with the sentiments expressed in the comments of BATIK-1018, it should be possible to turn off XML external entity processing without subclassing Batik classes.
Take for example {{SAXSVGDocumentFactory}}, which extends {{SAXDocumentFactory}}. When it comes time to parse the SVG in {{Document createDocument(InputSource is)}}, line 401 of {{SAXDocumentFacotry}}, the code uses either a String classname to instantiate the parser, or an internal static factory with package visibility.
Therefore, the only way to create a parser is to subclass {{SAXDocumentFactory}}, override {{createDocument}}, and create your own parser, so that it can be configured to not process XEE.
Any class that parses XML should either:
- provide a public accessor method to access the default parser factory
- allow passing in a parser factory
- allow passing in a parser factory class name (less than ideal, requires user to write their own parser factory)
- allow passing in a parser instance
In the case of {{SAXDocumentFactory}}, a simple {{public static SAXParserFactory getDefaultParserFactory()}} would have obviated the need to subclass.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: batik-dev-unsubscribe@xmlgraphics.apache.org
For additional commands, e-mail: batik-dev-help@xmlgraphics.apache.org