Skip to content
Permalink
Browse files

SAXReader uses system default XMLReader with its defaults. New factor…

…y method SAXReader.createDefault() sets more secure defaults.
  • Loading branch information
FilipJirsak committed Apr 11, 2020
1 parent 1707bf3 commit a8228522a99a02146106672a34c104adbda5c658
@@ -107,12 +107,12 @@ public static QName createQName(String localName) {
* XPath <code>XPath</code> instance using the singleton {@link
* DocumentFactory}.
* </p>
*
*
* @param xpathExpression
* is the XPath expression to create
*
*
* @return a new <code>XPath</code> instance
*
*
* @throws InvalidXPathException
* if the XPath expression is invalid
*/
@@ -127,14 +127,14 @@ public static XPath createXPath(String xpathExpression)
* XPath <code>XPath</code> instance using the singleton {@link
* DocumentFactory}.
* </p>
*
*
* @param xpathExpression
* is the XPath expression to create
* @param context
* is the variable context to use when evaluating the XPath
*
*
* @return a new <code>XPath</code> instance
*
*
* @throws InvalidXPathException
* if the XPath expression is invalid
*/
@@ -150,10 +150,10 @@ public static XPath createXPath(String xpathExpression,
* filter expressions occur within XPath expressions such as
* <code>self::node()[ filterExpression ]</code>
* </p>
*
*
* @param xpathFilterExpression
* is the XPath filter expression to create
*
*
* @return a new <code>NodeFilter</code> instance
*/
public static NodeFilter createXPathFilter(String xpathFilterExpression) {
@@ -166,10 +166,10 @@ public static NodeFilter createXPathFilter(String xpathFilterExpression) {
* an XSLT style {@link Pattern}instance which can then be used in an XSLT
* processing model.
* </p>
*
*
* @param xpathPattern
* is the XPath pattern expression to create
*
*
* @return a new <code>Pattern</code> instance
*/
public static Pattern createPattern(String xpathPattern) {
@@ -182,12 +182,12 @@ public static Pattern createPattern(String xpathPattern) {
* {@link List}of {@link Node}instances appending all the results together
* into a single list.
* </p>
*
*
* @param xpathFilterExpression
* is the XPath filter expression to evaluate
* @param nodes
* is the list of nodes on which to evalute the XPath
*
*
* @return the results of all the XPath evaluations as a single list
*/
public static List<Node> selectNodes(String xpathFilterExpression, List<Node> nodes) {
@@ -202,12 +202,12 @@ public static Pattern createPattern(String xpathPattern) {
* {@link List}of {@link Node}instances appending all the results together
* into a single list.
* </p>
*
*
* @param xpathFilterExpression
* is the XPath filter expression to evaluate
* @param node
* is the Node on which to evalute the XPath
*
*
* @return the results of all the XPath evaluations as a single list
*/
public static List<Node> selectNodes(String xpathFilterExpression, Node node) {
@@ -221,7 +221,7 @@ public static Pattern createPattern(String xpathPattern) {
* <code>sort</code> sorts the given List of Nodes using an XPath
* expression as a {@link java.util.Comparator}.
* </p>
*
*
* @param list
* is the list of Nodes to sort
* @param xpathExpression
@@ -238,7 +238,7 @@ public static void sort(List<Node> list, String xpathExpression) {
* expression as a {@link java.util.Comparator}and optionally removing
* duplicates.
* </p>
*
*
* @param list
* is the list of Nodes to sort
* @param expression
@@ -259,24 +259,17 @@ public static void sort(List<Node> list, String expression, boolean distinct) {
* </p>
*
* Loading external DTD and entities is disabled (if it is possible) for security reasons.
*
*
* @param text
* the XML text to be parsed
*
*
* @return a newly parsed Document
*
*
* @throws DocumentException
* if the document could not be parsed
*/
public static Document parseText(String text) throws DocumentException {
SAXReader reader = new SAXReader();
try {
reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
} catch (SAXException e) {
//Parse with external resources downloading allowed.
}
SAXReader reader = SAXReader.createDefault();

String encoding = getEncoding(text);

@@ -330,14 +323,14 @@ private static String getEncoding(String text) {
* get the first child &lt;a&gt; element, which would be created if it did
* not exist, then the next child &lt;b&gt; and so on until finally a
* &lt;c&gt; element is returned.
*
*
* @param source
* is the Element or Document to start navigating from
* @param path
* is a simple path expression, seperated by '/' which denotes
* the path from the source to the resulting element such as
* a/b/c
*
*
* @return the first Element on the given path which either already existed
* on the path or were created by this method.
*/
@@ -386,24 +379,24 @@ public static Element makeElement(Branch source, String path) {
* Redistribution and use of this software and associated documentation
* ("Software"), with or without modification, are permitted provided that the
* following conditions are met:
*
*

This comment has been minimized.

Copy link
@bushuevky

bushuevky Jun 6, 2020

bushuev.byshyi

This comment has been minimized.

Copy link
@bushuevky

bushuevky Jun 6, 2020

bushuev.byshyi

* 1. Redistributions of source code must retain copyright statements and
* notices. Redistributions must also contain a copy of this document.
*
*
* 2. Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
*
*
* 3. The name "DOM4J" must not be used to endorse or promote products derived
* from this Software without prior written permission of MetaStuff, Ltd. For
* written permission, please contact dom4j-info@metastuff.com.
*

This comment has been minimized.

Copy link
@bushuevky

bushuevky Jun 6, 2020

bushuev.byshyi @gmail.com

*
* 4. Products derived from this Software may not be called "DOM4J" nor may
* "DOM4J" appear in their names without prior written permission of MetaStuff,
* Ltd. DOM4J is a registered trademark of MetaStuff, Ltd.
*

This comment has been minimized.

*
* 5. Due credit should be given to the DOM4J Project - http://www.dom4j.org

This comment has been minimized.

*

This comment has been minimized.

*
* THIS SOFTWARE IS PROVIDED BY METASTUFF, LTD. AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -415,6 +408,6 @@ public static Element makeElement(Branch source, String path) {
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
*
* Copyright 2001-2005 (C) MetaStuff, Ltd. All Rights Reserved.
*/
@@ -13,12 +13,14 @@
import org.xml.sax.XMLReader;
import org.xml.sax.helpers.XMLReaderFactory;

import javax.xml.parsers.SAXParserFactory;

/**
* <p>
* <code>SAXHelper</code> contains some helper methods for working with SAX
* and XMLReader objects.
* </p>
*
*
* @author <a href="mailto:james.strachan@metastuff.com">James Strachan </a>
* @version $Revision: 1.18 $
*/
@@ -61,12 +63,21 @@ public static boolean setParserFeature(XMLReader reader,
/**
* Creats a default XMLReader via the org.xml.sax.driver system property or
* JAXP if the system property is not set.
*
*
* This method internally calls {@link SAXParserFactory}{@code .newInstance().newSAXParser().getXMLReader()} or {@link XMLReaderFactory#createXMLReader()}.
* Be sure to configure returned reader if the default configuration does not suit you. Consider setting the following properties:
*
* <pre>
* reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
* reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
* reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
* </pre>
*
* @param validating
* DOCUMENT ME!
*
*
* @return DOCUMENT ME!
*
*
* @throws SAXException
* DOCUMENT ME!
*/
@@ -125,12 +136,12 @@ public static XMLReader createXMLReader(boolean validating)
* This method attempts to use JAXP to locate the SAX2 XMLReader
* implementation. This method uses reflection to avoid being dependent
* directly on the JAXP classes.
*
*
* @param validating
* DOCUMENT ME!
* @param namespaceAware
* DOCUMENT ME!
*
*
* @return DOCUMENT ME!
*/
protected static XMLReader createXMLReaderViaJAXP(boolean validating,
@@ -176,24 +187,24 @@ protected static boolean isVerboseErrorReporting() {
* Redistribution and use of this software and associated documentation
* ("Software"), with or without modification, are permitted provided that the
* following conditions are met:
*
*
* 1. Redistributions of source code must retain copyright statements and
* notices. Redistributions must also contain a copy of this document.
*
*
* 2. Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
*
*
* 3. The name "DOM4J" must not be used to endorse or promote products derived
* from this Software without prior written permission of MetaStuff, Ltd. For
* written permission, please contact dom4j-info@metastuff.com.
*
*
* 4. Products derived from this Software may not be called "DOM4J" nor may
* "DOM4J" appear in their names without prior written permission of MetaStuff,
* Ltd. DOM4J is a registered trademark of MetaStuff, Ltd.
*
*
* 5. Due credit should be given to the DOM4J Project - http://www.dom4j.org
*
*
* THIS SOFTWARE IS PROVIDED BY METASTUFF, LTD. AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -205,6 +216,6 @@ protected static boolean isVerboseErrorReporting() {
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
*
* Copyright 2001-2005 (C) MetaStuff, Ltd. All Rights Reserved.
*/

0 comments on commit a822852

Please sign in to comment.