You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@any23.apache.org by GitBox <gi...@apache.org> on 2021/10/20 16:25:40 UTC

[GitHub] [any23] lewismc commented on pull request #205: ANY23-504 XML-based parsers should not load external DTDs by default

lewismc commented on pull request #205:
URL: https://github.com/apache/any23/pull/205#issuecomment-947831492


   @sebastian-nagel so it looks like we [got to the bottom of it](https://github.com/eclipse/rdf4j/issues/3347#issuecomment-947414103). For clarity, 
   
   > The TriXParser's underlying SAX2 parser (usually Xerces) should be configured, by default, to not read remote DTDs. This behavior can be overridden from the RDF4J side by tweaking the XMLParserSettings.LOAD_EXTERNAL_DTD option, or by setting the system property http://apache.org/xml/features/nonvalidating/load-external-dtd to true.
   > However, I've just done a quick unit test at my end and it appears there is a regression in the default settings.
   > Long story short: you've discovered a bug in the TriXParser, thanks! And sorry it took so long for me to cotton on.
   > The short-term workaround in the Any23 code is to explicitly disable loading of external DTDs on the TriXParser:
   ```parser.getParserConfig().set(XMLParserSettings.LOAD_EXTERNAL_DTD, false);```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@any23.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org