You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by ta...@apache.org on 2018/06/18 12:23:44 UTC
svn commit: r1833708 -
/ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilXml.java
Author: taher
Date: Mon Jun 18 12:23:44 2018
New Revision: 1833708
URL: http://svn.apache.org/viewvc?rev=1833708&view=rev
Log:
Improved: improve XML parsing with more restrictive settings
(OFBIZ-10435)
Modified:
ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilXml.java
Modified: ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilXml.java
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilXml.java?rev=1833708&r1=1833707&r2=1833708&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilXml.java (original)
+++ ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilXml.java Mon Jun 18 12:23:44 2018
@@ -431,6 +431,12 @@ public final class UtilXml {
factory.setAttribute("http://xml.org/sax/features/validation", validate);
factory.setAttribute("http://apache.org/xml/features/validation/schema", validate);
+ factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+ factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+ factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+ factory.setXIncludeAware(false);
+ factory.setExpandEntityReferences(false);
+
// with a SchemaUrl, a URL object
DocumentBuilder builder = factory.newDocumentBuilder();
if (validate) {