Skip to content

Commit a822852

Browse files
committed
SAXReader uses system default XMLReader with its defaults. New factory method SAXReader.createDefault() sets more secure defaults.
1 parent 1707bf3 commit a822852

File tree

3 files changed

+973
-953
lines changed

3 files changed

+973
-953
lines changed

Diff for: src/main/java/org/dom4j/DocumentHelper.java

+29-36
Original file line numberDiff line numberDiff line change
@@ -107,12 +107,12 @@ public static QName createQName(String localName) {
107107
* XPath <code>XPath</code> instance using the singleton {@link
108108
* DocumentFactory}.
109109
* </p>
110-
*
110+
*
111111
* @param xpathExpression
112112
* is the XPath expression to create
113-
*
113+
*
114114
* @return a new <code>XPath</code> instance
115-
*
115+
*
116116
* @throws InvalidXPathException
117117
* if the XPath expression is invalid
118118
*/
@@ -127,14 +127,14 @@ public static XPath createXPath(String xpathExpression)
127127
* XPath <code>XPath</code> instance using the singleton {@link
128128
* DocumentFactory}.
129129
* </p>
130-
*
130+
*
131131
* @param xpathExpression
132132
* is the XPath expression to create
133133
* @param context
134134
* is the variable context to use when evaluating the XPath
135-
*
135+
*
136136
* @return a new <code>XPath</code> instance
137-
*
137+
*
138138
* @throws InvalidXPathException
139139
* if the XPath expression is invalid
140140
*/
@@ -150,10 +150,10 @@ public static XPath createXPath(String xpathExpression,
150150
* filter expressions occur within XPath expressions such as
151151
* <code>self::node()[ filterExpression ]</code>
152152
* </p>
153-
*
153+
*
154154
* @param xpathFilterExpression
155155
* is the XPath filter expression to create
156-
*
156+
*
157157
* @return a new <code>NodeFilter</code> instance
158158
*/
159159
public static NodeFilter createXPathFilter(String xpathFilterExpression) {
@@ -166,10 +166,10 @@ public static NodeFilter createXPathFilter(String xpathFilterExpression) {
166166
* an XSLT style {@link Pattern}instance which can then be used in an XSLT
167167
* processing model.
168168
* </p>
169-
*
169+
*
170170
* @param xpathPattern
171171
* is the XPath pattern expression to create
172-
*
172+
*
173173
* @return a new <code>Pattern</code> instance
174174
*/
175175
public static Pattern createPattern(String xpathPattern) {
@@ -182,12 +182,12 @@ public static Pattern createPattern(String xpathPattern) {
182182
* {@link List}of {@link Node}instances appending all the results together
183183
* into a single list.
184184
* </p>
185-
*
185+
*
186186
* @param xpathFilterExpression
187187
* is the XPath filter expression to evaluate
188188
* @param nodes
189189
* is the list of nodes on which to evalute the XPath
190-
*
190+
*
191191
* @return the results of all the XPath evaluations as a single list
192192
*/
193193
public static List<Node> selectNodes(String xpathFilterExpression, List<Node> nodes) {
@@ -202,12 +202,12 @@ public static List<Node> selectNodes(String xpathFilterExpression, List<Node> no
202202
* {@link List}of {@link Node}instances appending all the results together
203203
* into a single list.
204204
* </p>
205-
*
205+
*
206206
* @param xpathFilterExpression
207207
* is the XPath filter expression to evaluate
208208
* @param node
209209
* is the Node on which to evalute the XPath
210-
*
210+
*
211211
* @return the results of all the XPath evaluations as a single list
212212
*/
213213
public static List<Node> selectNodes(String xpathFilterExpression, Node node) {
@@ -221,7 +221,7 @@ public static List<Node> selectNodes(String xpathFilterExpression, Node node) {
221221
* <code>sort</code> sorts the given List of Nodes using an XPath
222222
* expression as a {@link java.util.Comparator}.
223223
* </p>
224-
*
224+
*
225225
* @param list
226226
* is the list of Nodes to sort
227227
* @param xpathExpression
@@ -238,7 +238,7 @@ public static void sort(List<Node> list, String xpathExpression) {
238238
* expression as a {@link java.util.Comparator}and optionally removing
239239
* duplicates.
240240
* </p>
241-
*
241+
*
242242
* @param list
243243
* is the list of Nodes to sort
244244
* @param expression
@@ -259,24 +259,17 @@ public static void sort(List<Node> list, String expression, boolean distinct) {
259259
* </p>
260260
*
261261
* Loading external DTD and entities is disabled (if it is possible) for security reasons.
262-
*
262+
*
263263
* @param text
264264
* the XML text to be parsed
265-
*
265+
*
266266
* @return a newly parsed Document
267-
*
267+
*
268268
* @throws DocumentException
269269
* if the document could not be parsed
270270
*/
271271
public static Document parseText(String text) throws DocumentException {
272-
SAXReader reader = new SAXReader();
273-
try {
274-
reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
275-
reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
276-
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
277-
} catch (SAXException e) {
278-
//Parse with external resources downloading allowed.
279-
}
272+
SAXReader reader = SAXReader.createDefault();
280273

281274
String encoding = getEncoding(text);
282275

@@ -330,14 +323,14 @@ private static String getEncoding(String text) {
330323
* get the first child &lt;a&gt; element, which would be created if it did
331324
* not exist, then the next child &lt;b&gt; and so on until finally a
332325
* &lt;c&gt; element is returned.
333-
*
326+
*
334327
* @param source
335328
* is the Element or Document to start navigating from
336329
* @param path
337330
* is a simple path expression, seperated by '/' which denotes
338331
* the path from the source to the resulting element such as
339332
* a/b/c
340-
*
333+
*
341334
* @return the first Element on the given path which either already existed
342335
* on the path or were created by this method.
343336
*/
@@ -386,24 +379,24 @@ public static Element makeElement(Branch source, String path) {
386379
* Redistribution and use of this software and associated documentation
387380
* ("Software"), with or without modification, are permitted provided that the
388381
* following conditions are met:
389-
*
382+
*
390383
* 1. Redistributions of source code must retain copyright statements and
391384
* notices. Redistributions must also contain a copy of this document.
392-
*
385+
*
393386
* 2. Redistributions in binary form must reproduce the above copyright notice,
394387
* this list of conditions and the following disclaimer in the documentation
395388
* and/or other materials provided with the distribution.
396-
*
389+
*
397390
* 3. The name "DOM4J" must not be used to endorse or promote products derived
398391
* from this Software without prior written permission of MetaStuff, Ltd. For
399392
* written permission, please contact dom4j-info@metastuff.com.
400-
*
393+
*
401394
* 4. Products derived from this Software may not be called "DOM4J" nor may
402395
* "DOM4J" appear in their names without prior written permission of MetaStuff,
403396
* Ltd. DOM4J is a registered trademark of MetaStuff, Ltd.
404-
*
397+
*
405398
* 5. Due credit should be given to the DOM4J Project - http://www.dom4j.org
406-
*
399+
*
407400
* THIS SOFTWARE IS PROVIDED BY METASTUFF, LTD. AND CONTRIBUTORS ``AS IS'' AND
408401
* ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
409402
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -415,6 +408,6 @@ public static Element makeElement(Branch source, String path) {
415408
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
416409
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
417410
* POSSIBILITY OF SUCH DAMAGE.
418-
*
411+
*
419412
* Copyright 2001-2005 (C) MetaStuff, Ltd. All Rights Reserved.
420413
*/

Diff for: src/main/java/org/dom4j/io/SAXHelper.java

+24-13
Original file line numberDiff line numberDiff line change
@@ -13,12 +13,14 @@
1313
import org.xml.sax.XMLReader;
1414
import org.xml.sax.helpers.XMLReaderFactory;
1515

16+
import javax.xml.parsers.SAXParserFactory;
17+
1618
/**
1719
* <p>
1820
* <code>SAXHelper</code> contains some helper methods for working with SAX
1921
* and XMLReader objects.
2022
* </p>
21-
*
23+
*
2224
* @author <a href="mailto:james.strachan@metastuff.com">James Strachan </a>
2325
* @version $Revision: 1.18 $
2426
*/
@@ -61,12 +63,21 @@ public static boolean setParserFeature(XMLReader reader,
6163
/**
6264
* Creats a default XMLReader via the org.xml.sax.driver system property or
6365
* JAXP if the system property is not set.
64-
*
66+
*
67+
* This method internally calls {@link SAXParserFactory}{@code .newInstance().newSAXParser().getXMLReader()} or {@link XMLReaderFactory#createXMLReader()}.
68+
* Be sure to configure returned reader if the default configuration does not suit you. Consider setting the following properties:
69+
*
70+
* <pre>
71+
* reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
72+
* reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
73+
* reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
74+
* </pre>
75+
*
6576
* @param validating
6677
* DOCUMENT ME!
67-
*
78+
*
6879
* @return DOCUMENT ME!
69-
*
80+
*
7081
* @throws SAXException
7182
* DOCUMENT ME!
7283
*/
@@ -125,12 +136,12 @@ public static XMLReader createXMLReader(boolean validating)
125136
* This method attempts to use JAXP to locate the SAX2 XMLReader
126137
* implementation. This method uses reflection to avoid being dependent
127138
* directly on the JAXP classes.
128-
*
139+
*
129140
* @param validating
130141
* DOCUMENT ME!
131142
* @param namespaceAware
132143
* DOCUMENT ME!
133-
*
144+
*
134145
* @return DOCUMENT ME!
135146
*/
136147
protected static XMLReader createXMLReaderViaJAXP(boolean validating,
@@ -176,24 +187,24 @@ protected static boolean isVerboseErrorReporting() {
176187
* Redistribution and use of this software and associated documentation
177188
* ("Software"), with or without modification, are permitted provided that the
178189
* following conditions are met:
179-
*
190+
*
180191
* 1. Redistributions of source code must retain copyright statements and
181192
* notices. Redistributions must also contain a copy of this document.
182-
*
193+
*
183194
* 2. Redistributions in binary form must reproduce the above copyright notice,
184195
* this list of conditions and the following disclaimer in the documentation
185196
* and/or other materials provided with the distribution.
186-
*
197+
*
187198
* 3. The name "DOM4J" must not be used to endorse or promote products derived
188199
* from this Software without prior written permission of MetaStuff, Ltd. For
189200
* written permission, please contact dom4j-info@metastuff.com.
190-
*
201+
*
191202
* 4. Products derived from this Software may not be called "DOM4J" nor may
192203
* "DOM4J" appear in their names without prior written permission of MetaStuff,
193204
* Ltd. DOM4J is a registered trademark of MetaStuff, Ltd.
194-
*
205+
*
195206
* 5. Due credit should be given to the DOM4J Project - http://www.dom4j.org
196-
*
207+
*
197208
* THIS SOFTWARE IS PROVIDED BY METASTUFF, LTD. AND CONTRIBUTORS ``AS IS'' AND
198209
* ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
199210
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -205,6 +216,6 @@ protected static boolean isVerboseErrorReporting() {
205216
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
206217
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
207218
* POSSIBILITY OF SUCH DAMAGE.
208-
*
219+
*
209220
* Copyright 2001-2005 (C) MetaStuff, Ltd. All Rights Reserved.
210221
*/

0 commit comments

Comments
 (0)