SAXReader uses system default XMLReader with its defaults. New factor…

…y method SAXReader.createDefault() sets more secure defaults.
dom4j · Apr 11, 2020 · a822852 · bushuevky · Jun 6, 2020 · bushuevky
1 parent 1707bf3
commit a822852
Show file tree

Hide file tree

Showing 3 changed files with 973 additions and 953 deletions.
diff --git a/src/main/java/org/dom4j/DocumentHelper.java b/src/main/java/org/dom4j/DocumentHelper.java
@@ -107,12 +107,12 @@ public static QName createQName(String localName) {
      * XPath <code>XPath</code> instance using the singleton {@link
      * DocumentFactory}.
      * </p>
-     * 
+     *
      * @param xpathExpression
      *            is the XPath expression to create
-     * 
+     *
      * @return a new <code>XPath</code> instance
-     * 
+     *
      * @throws InvalidXPathException
      *             if the XPath expression is invalid
      */
@@ -127,14 +127,14 @@ public static XPath createXPath(String xpathExpression)
      * XPath <code>XPath</code> instance using the singleton {@link
      * DocumentFactory}.
      * </p>
-     * 
+     *
      * @param xpathExpression
      *            is the XPath expression to create
      * @param context
      *            is the variable context to use when evaluating the XPath
-     * 
+     *
      * @return a new <code>XPath</code> instance
-     * 
+     *
      * @throws InvalidXPathException
      *             if the XPath expression is invalid
      */
@@ -150,10 +150,10 @@ public static XPath createXPath(String xpathExpression,
      * filter expressions occur within XPath expressions such as
      * <code>self::node()[ filterExpression ]</code>
      * </p>
-     * 
+     *
      * @param xpathFilterExpression
      *            is the XPath filter expression to create
-     * 
+     *
      * @return a new <code>NodeFilter</code> instance
      */
     public static NodeFilter createXPathFilter(String xpathFilterExpression) {
@@ -166,10 +166,10 @@ public static NodeFilter createXPathFilter(String xpathFilterExpression) {
      * an XSLT style {@link Pattern}instance which can then be used in an XSLT
      * processing model.
      * </p>
-     * 
+     *
      * @param xpathPattern
      *            is the XPath pattern expression to create
-     * 
+     *
      * @return a new <code>Pattern</code> instance
      */
     public static Pattern createPattern(String xpathPattern) {
@@ -182,12 +182,12 @@ public static Pattern createPattern(String xpathPattern) {
      * {@link List}of {@link Node}instances appending all the results together
      * into a single list.
      * </p>
-     * 
+     *
      * @param xpathFilterExpression
      *            is the XPath filter expression to evaluate
      * @param nodes
      *            is the list of nodes on which to evalute the XPath
-     * 
+     *
      * @return the results of all the XPath evaluations as a single list
      */
     public static List<Node> selectNodes(String xpathFilterExpression, List<Node> nodes) {
@@ -202,12 +202,12 @@ public static List<Node> selectNodes(String xpathFilterExpression, List<Node> no
      * {@link List}of {@link Node}instances appending all the results together
      * into a single list.
      * </p>
-     * 
+     *
      * @param xpathFilterExpression
      *            is the XPath filter expression to evaluate
      * @param node
      *            is the Node on which to evalute the XPath
-     * 
+     *
      * @return the results of all the XPath evaluations as a single list
      */
     public static List<Node> selectNodes(String xpathFilterExpression, Node node) {
@@ -221,7 +221,7 @@ public static List<Node> selectNodes(String xpathFilterExpression, Node node) {
      * <code>sort</code> sorts the given List of Nodes using an XPath
      * expression as a {@link java.util.Comparator}.
      * </p>
-     * 
+     *
      * @param list
      *            is the list of Nodes to sort
      * @param xpathExpression
@@ -238,7 +238,7 @@ public static void sort(List<Node> list, String xpathExpression) {
      * expression as a {@link java.util.Comparator}and optionally removing
      * duplicates.
      * </p>
-     * 
+     *
      * @param list
      *            is the list of Nodes to sort
      * @param expression
@@ -259,24 +259,17 @@ public static void sort(List<Node> list, String expression, boolean distinct) {
      * </p>
      *
      * Loading external DTD and entities is disabled (if it is possible) for security reasons.
-     * 
+     *
      * @param text
      *            the XML text to be parsed
-     * 
+     *
      * @return a newly parsed Document
-     * 
+     *
      * @throws DocumentException
      *             if the document could not be parsed
      */
     public static Document parseText(String text) throws DocumentException {
-        SAXReader reader = new SAXReader();
-        try {
-            reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
-            reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
-            reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
-        } catch (SAXException e) {
-            //Parse with external resources downloading allowed.
-        }
+        SAXReader reader = SAXReader.createDefault();
 
         String encoding = getEncoding(text);
 
@@ -330,14 +323,14 @@ private static String getEncoding(String text) {
      * get the first child &lt;a&gt; element, which would be created if it did
      * not exist, then the next child &lt;b&gt; and so on until finally a
      * &lt;c&gt; element is returned.
-     * 
+     *
      * @param source
      *            is the Element or Document to start navigating from
      * @param path
      *            is a simple path expression, seperated by '/' which denotes
      *            the path from the source to the resulting element such as
      *            a/b/c
-     * 
+     *
      * @return the first Element on the given path which either already existed
      *         on the path or were created by this method.
      */
@@ -386,24 +379,24 @@ public static Element makeElement(Branch source, String path) {
  * Redistribution and use of this software and associated documentation
  * ("Software"), with or without modification, are permitted provided that the
  * following conditions are met:
- * 
+ *
  * 1. Redistributions of source code must retain copyright statements and
  * notices. Redistributions must also contain a copy of this document.
- * 
+ *
  * 2. Redistributions in binary form must reproduce the above copyright notice,
  * this list of conditions and the following disclaimer in the documentation
  * and/or other materials provided with the distribution.
- * 
+ *
  * 3. The name "DOM4J" must not be used to endorse or promote products derived
  * from this Software without prior written permission of MetaStuff, Ltd. For
  * written permission, please contact dom4j-info@metastuff.com.
- * 
+ *
  * 4. Products derived from this Software may not be called "DOM4J" nor may
  * "DOM4J" appear in their names without prior written permission of MetaStuff,
  * Ltd. DOM4J is a registered trademark of MetaStuff, Ltd.
- * 
+ *
  * 5. Due credit should be given to the DOM4J Project - http://www.dom4j.org
- * 
+ *
  * THIS SOFTWARE IS PROVIDED BY METASTUFF, LTD. AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -415,6 +408,6 @@ public static Element makeElement(Branch source, String path) {
  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE.
- * 
+ *
  * Copyright 2001-2005 (C) MetaStuff, Ltd. All Rights Reserved.
  */
diff --git a/src/main/java/org/dom4j/io/SAXHelper.java b/src/main/java/org/dom4j/io/SAXHelper.java
@@ -13,12 +13,14 @@
 import org.xml.sax.XMLReader;
 import org.xml.sax.helpers.XMLReaderFactory;
 
+import javax.xml.parsers.SAXParserFactory;
+
 /**
  * <p>
  * <code>SAXHelper</code> contains some helper methods for working with SAX
  * and XMLReader objects.
  * </p>
- * 
+ *
  * @author <a href="mailto:james.strachan@metastuff.com">James Strachan </a>
  * @version $Revision: 1.18 $
  */
@@ -61,12 +63,21 @@ public static boolean setParserFeature(XMLReader reader,
     /**
      * Creats a default XMLReader via the org.xml.sax.driver system property or
      * JAXP if the system property is not set.
-     * 
+     *
+     * This method internally calls {@link SAXParserFactory}{@code .newInstance().newSAXParser().getXMLReader()} or {@link XMLReaderFactory#createXMLReader()}.
+     * Be sure to configure returned reader if the default configuration does not suit you. Consider setting the following properties:
+     *
+     * <pre>
+     * reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+     * reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
+     * reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+     * </pre>
+     *
      * @param validating
      *            DOCUMENT ME!
-     * 
+     *
      * @return DOCUMENT ME!
-     * 
+     *
      * @throws SAXException
      *             DOCUMENT ME!
      */
@@ -125,12 +136,12 @@ public static XMLReader createXMLReader(boolean validating)
      * This method attempts to use JAXP to locate the SAX2 XMLReader
      * implementation. This method uses reflection to avoid being dependent
      * directly on the JAXP classes.
-     * 
+     *
      * @param validating
      *            DOCUMENT ME!
      * @param namespaceAware
      *            DOCUMENT ME!
-     * 
+     *
      * @return DOCUMENT ME!
      */
     protected static XMLReader createXMLReaderViaJAXP(boolean validating,
@@ -176,24 +187,24 @@ protected static boolean isVerboseErrorReporting() {
  * Redistribution and use of this software and associated documentation
  * ("Software"), with or without modification, are permitted provided that the
  * following conditions are met:
- * 
+ *
  * 1. Redistributions of source code must retain copyright statements and
  * notices. Redistributions must also contain a copy of this document.
- * 
+ *
  * 2. Redistributions in binary form must reproduce the above copyright notice,
  * this list of conditions and the following disclaimer in the documentation
  * and/or other materials provided with the distribution.
- * 
+ *
  * 3. The name "DOM4J" must not be used to endorse or promote products derived
  * from this Software without prior written permission of MetaStuff, Ltd. For
  * written permission, please contact dom4j-info@metastuff.com.
- * 
+ *
  * 4. Products derived from this Software may not be called "DOM4J" nor may
  * "DOM4J" appear in their names without prior written permission of MetaStuff,
  * Ltd. DOM4J is a registered trademark of MetaStuff, Ltd.
- * 
+ *
  * 5. Due credit should be given to the DOM4J Project - http://www.dom4j.org
- * 
+ *
  * THIS SOFTWARE IS PROVIDED BY METASTUFF, LTD. AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -205,6 +216,6 @@ protected static boolean isVerboseErrorReporting() {
  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE.
- * 
+ *
  * Copyright 2001-2005 (C) MetaStuff, Ltd. All Rights Reserved.
  */