eXist-db · dizzzz · Sep 25, 2018 · Jan 3, 2017 · Sep 24, 2018 · Sep 25, 2018
diff --git a/conf.xml.tmpl b/conf.xml.tmpl
@@ -566,6 +566,18 @@
     <!--
         Default settings for parsing structured documents:
 
+        - xml (optional)
+
+            - features
+                Any default SAX2 feature flags to set on the parser
+
+                    - feature
+                        - name
+                            the name of the feature flag
+                        - value
+                            the value of the feature flag
+
+
         - html-to-xml (optional)
 
             - class
@@ -603,6 +615,22 @@
     -->
     <parser>
 
+        <xml>
+
+            <features>
+
+                <!-- NOTE: the following feature flags should likely be set in production to ensure a secure environment -->
+
+                <!--
+                <feature name="http://xml.org/sax/features/external-general-entities" value="false"/>
+                <feature name="http://xml.org/sax/features/external-parameter-entities" value="false"/>
+                <feature name="http://javax.xml.XMLConstants/feature/secure-processing" value="true"/>
+                -->
+
+            </features>
+
+        </xml>
+
         <!-- html-to-xml class="org.ccil.cowan.tagsoup.Parser"/ -->
 
         <html-to-xml class="org.cyberneko.html.parsers.SAXParser">

diff --git a/src/org/exist/util/Configuration.java b/src/org/exist/util/Configuration.java
@@ -538,6 +538,28 @@ private void configureTransformer( Element transformer )
     }
 
     private void configureParser(final Element parser) {
+        configureXmlParser(parser);
+        configureHtmlToXmlParser(parser);
+    }
+
+    private void configureXmlParser(final Element parser) {
+        final NodeList nlXml = parser.getElementsByTagName(XMLReaderPool.XmlParser.XML_PARSER_ELEMENT);
+        if(nlXml.getLength() > 0) {
+            final Element xml = (Element)nlXml.item(0);
+
+            final NodeList nlFeatures = xml.getElementsByTagName(XMLReaderPool.XmlParser.XML_PARSER_FEATURES_ELEMENT);
+            if(nlFeatures.getLength() > 0) {
+                final Properties pFeatures = ParametersExtractor.parseFeatures(nlFeatures.item(0));
+                if(pFeatures != null) {
+                    final Map<String, Boolean> features = new HashMap<>();
+                    pFeatures.forEach((k,v) -> features.put(k.toString(), Boolean.valueOf(v.toString())));
+                    config.put(XMLReaderPool.XmlParser.XML_PARSER_FEATURES_PROPERTY, features);
+                }
+            }
+        }
+    }
+
+    private void configureHtmlToXmlParser(final Element parser) {
         final NodeList nlHtmlToXml = parser.getElementsByTagName(HtmlToXmlParser.HTML_TO_XML_PARSER_ELEMENT);
         if(nlHtmlToXml.getLength() > 0) {
             final Element htmlToXml = (Element)nlHtmlToXml.item(0);

diff --git a/src/org/exist/util/XMLReaderPool.java b/src/org/exist/util/XMLReaderPool.java
@@ -27,12 +27,16 @@
 import org.exist.Namespaces;
 import org.exist.storage.BrokerPool;
 import org.exist.storage.BrokerPoolService;
+import org.exist.storage.BrokerPoolServiceException;
 import org.exist.validation.GrammarPool;
 import org.xml.sax.SAXNotRecognizedException;
 import org.xml.sax.SAXNotSupportedException;
 import org.xml.sax.XMLReader;
 import org.xml.sax.ext.DefaultHandler2;
 
+import javax.xml.parsers.ParserConfigurationException;
+import java.util.Map;
+
 /**
  * Maintains a pool of XMLReader objects. The pool is available through
  * {@link BrokerPool#getParserPool()}.
@@ -45,25 +49,46 @@ public class XMLReaderPool extends StackObjectPool<XMLReader> implements BrokerP
 
     private final static DefaultHandler2 DUMMY_HANDLER = new DefaultHandler2();
 
+    private Configuration configuration = null;
+
     /**
      * 
      * 
      * @param factory 
      * @param maxIdle 
      * @param initIdleCapacity 
      */
-    public XMLReaderPool(PoolableObjectFactory<XMLReader> factory, int maxIdle, int initIdleCapacity) {
+    public XMLReaderPool(final PoolableObjectFactory<XMLReader> factory, final int maxIdle, final int initIdleCapacity) {
         super(factory, maxIdle, initIdleCapacity);
     }
 
+    @Override
+    public void configure(final Configuration configuration) throws BrokerPoolServiceException {
+        this.configuration = configuration;
+    }
+
     public synchronized XMLReader borrowXMLReader() {
         try {
-            return super.borrowObject();
+            final XMLReader reader = super.borrowObject();
+            setParserConfigFeatures(reader);
+            return reader;
         } catch (final Exception e) {
             throw new IllegalStateException("error while returning XMLReader: " + e.getMessage(), e );
         }
     }
 
+    /**
+     * Sets any features for the parser which were defined in conf.xml
+     */
+    private void setParserConfigFeatures(final XMLReader xmlReader) throws ParserConfigurationException, SAXNotRecognizedException, SAXNotSupportedException {
+        final Map<String, Boolean> parserFeatures = (Map<String, Boolean>)configuration.getProperty(XmlParser.XML_PARSER_FEATURES_PROPERTY);
+        if(parserFeatures != null) {
+            for(final Map.Entry<String, Boolean> feature : parserFeatures.entrySet()) {
+                xmlReader.setFeature(feature.getKey(), feature.getValue());
+            }
+        }
+    }
+
     @Override
     public synchronized XMLReader borrowObject() throws Exception {
         return borrowXMLReader();
@@ -115,6 +140,12 @@ private Object getReaderProperty(XMLReader xmlReader, String propertyName){
         return object;
     }
 
-
+
+    // just used for config properties
+    public interface XmlParser {
+        String XML_PARSER_ELEMENT = "xml";
+        String XML_PARSER_FEATURES_ELEMENT = "features";
+        String XML_PARSER_FEATURES_PROPERTY = "parser.xml-parser.features";
+    }
 
 }