Skip to content

SAXReader uses system XMLReaderFactory.createXMLReader() or SAXParserFactory.newInstance().newSAXParser() which has unsecure defaults #87

Closed
@FilipJirsak

Description

@FilipJirsak

The constructor new org.dom4j.io.SAXReader() calls one of the factory method form Java runtime library – org.xml.sax.helpers.XMLReaderFactory.createXMLReader() or javax.xml.parsers.SAXParserFactory.newInstance().newSAXParser(). These factory methods do not have safe defaults, such as downloading external entities.
Create the new factory method org.dom4j.io.SAXReader.createDefault() which overrides Java runtime library defaults and sets following features:

reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);	
reader.setFeature("http://xml.org/sax/features/external-general-entities", false);	
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);

Metadata

Metadata

Assignees

Labels

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions