You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@pdfbox.apache.org by ti...@apache.org on 2020/09/28 18:21:30 UTC

svn commit: r1882097 - /pdfbox/trunk/debugger/src/main/java/org/apache/pdfbox/debugger/streampane/StreamPane.java

Author: tilman
Date: Mon Sep 28 18:21:30 2020
New Revision: 1882097

URL: http://svn.apache.org/viewvc?rev=1882097&view=rev
Log:
PDFBOX-4971: add security features

Modified:
    pdfbox/trunk/debugger/src/main/java/org/apache/pdfbox/debugger/streampane/StreamPane.java

Modified: pdfbox/trunk/debugger/src/main/java/org/apache/pdfbox/debugger/streampane/StreamPane.java
URL: http://svn.apache.org/viewvc/pdfbox/trunk/debugger/src/main/java/org/apache/pdfbox/debugger/streampane/StreamPane.java?rev=1882097&r1=1882096&r2=1882097&view=diff
==============================================================================
--- pdfbox/trunk/debugger/src/main/java/org/apache/pdfbox/debugger/streampane/StreamPane.java (original)
+++ pdfbox/trunk/debugger/src/main/java/org/apache/pdfbox/debugger/streampane/StreamPane.java Mon Sep 28 18:21:30 2020
@@ -44,6 +44,7 @@ import javax.swing.text.Style;
 import javax.swing.text.StyleConstants;
 import javax.swing.text.StyleContext;
 import javax.swing.text.StyledDocument;
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
@@ -398,7 +399,11 @@ public class StreamPane implements Actio
                     builderFactory.setExpandEntityReferences(false);
                     DocumentBuilder builder = builderFactory.newDocumentBuilder();
                     Document doc = builder.parse(new InputSource(inputStreamReader));
-                    Transformer transformer = TransformerFactory.newInstance().newTransformer();
+                    TransformerFactory transformerFactory = TransformerFactory.newInstance();
+                    transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+                    transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
+                    transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+                    Transformer transformer = transformerFactory.newTransformer();
                     transformer.setOutputProperty(OutputKeys.INDENT, "yes");
                     transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", Integer.toString(1));
                     StreamResult result = new StreamResult(baos);