Skip to content
Permalink
Browse files Browse the repository at this point in the history
Implemented "[ #315668 ] Disable loading of external entities in XML …
…parsing by default".
  • Loading branch information
ebruchez committed Dec 4, 2010
1 parent 9610d39 commit aba6681
Showing 1 changed file with 16 additions and 25 deletions.
41 changes: 16 additions & 25 deletions src/java/org/orbeon/oxf/xml/xerces/XercesSAXParserFactoryImpl.java
Expand Up @@ -4,13 +4,9 @@
import org.xml.sax.SAXException;
import org.xml.sax.SAXNotRecognizedException;

import javax.xml.parsers.ParserConfigurationException;
import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
import java.util.Collection;
import java.util.Collections;
import java.util.Hashtable;
import java.util.Map;
import java.util.*;

/**
* Boasts a couple of improvements over the 'stock' xerces parser factory.
Expand Down Expand Up @@ -42,47 +38,43 @@ public class XercesSAXParserFactoryImpl extends SAXParserFactory {
static {
{
final OrbeonParserConfiguration configuration = XercesSAXParser.makeConfig(false, true);
final Collection features = configuration.getRecognizedFeatures();
recognizedFeaturesNonValidatingXInclude = Collections.unmodifiableCollection(features);
final Collection recognizedFeatures = configuration.getRecognizedFeatures();
recognizedFeaturesNonValidatingXInclude = Collections.unmodifiableCollection(recognizedFeatures);
defaultFeaturesNonValidatingXInclude = configuration.getFeatures();
// This was being done in XMLUtils.createSaxParserFactory before. Maybe want to
// move it back if we decide to make this class more general purpose.
defaultFeaturesNonValidatingXInclude.put("http://xml.org/sax/features/namespaces", Boolean.TRUE);
defaultFeaturesNonValidatingXInclude.put("http://xml.org/sax/features/namespace-prefixes", Boolean.FALSE);
addDefaultFeatures(defaultFeaturesNonValidatingXInclude);
}
{
final OrbeonParserConfiguration configuration = XercesSAXParser.makeConfig(false, false);
final Collection features = configuration.getRecognizedFeatures();
recognizedFeaturesNonValidatingNoXInclude = Collections.unmodifiableCollection(features);
defaultFeaturesNonValidatingNoXInclude = configuration.getFeatures();
// This was being done in XMLUtils.createSaxParserFactory before. Maybe want to
// move it back if we decide to make this class more general purpose.
defaultFeaturesNonValidatingNoXInclude.put("http://xml.org/sax/features/namespaces", Boolean.TRUE);
defaultFeaturesNonValidatingNoXInclude.put("http://xml.org/sax/features/namespace-prefixes", Boolean.FALSE);
addDefaultFeatures(defaultFeaturesNonValidatingNoXInclude);
}

{
final OrbeonParserConfiguration configuration = XercesSAXParser.makeConfig(true, true);
final Collection features = configuration.getRecognizedFeatures();
recognizedFeaturesValidatingXInclude = Collections.unmodifiableCollection(features);
defaultFeaturesValidatingXInclude = configuration.getFeatures();
// This was being done in XMLUtils.createSaxParserFactory before. Maybe want to
// move it back if we decide to make this class more general purpose.
defaultFeaturesValidatingXInclude.put("http://xml.org/sax/features/namespaces", Boolean.TRUE);
defaultFeaturesValidatingXInclude.put("http://xml.org/sax/features/namespace-prefixes", Boolean.FALSE);
addDefaultFeatures(defaultFeaturesValidatingXInclude);
}
{
final OrbeonParserConfiguration configuration = XercesSAXParser.makeConfig(true, false);
final Collection features = configuration.getRecognizedFeatures();
recognizedFeaturesValidatingNoXInclude = Collections.unmodifiableCollection(features);
defaultFeaturesValidatingNoXInclude = configuration.getFeatures();
// This was being done in XMLUtils.createSaxParserFactory before. Maybe want to
// move it back if we decide to make this class more general purpose.
defaultFeaturesValidatingNoXInclude.put("http://xml.org/sax/features/namespaces", Boolean.TRUE);
defaultFeaturesValidatingNoXInclude.put("http://xml.org/sax/features/namespace-prefixes", Boolean.FALSE);
addDefaultFeatures(defaultFeaturesValidatingNoXInclude);
}
}

private static void addDefaultFeatures(Map features) {
features.put("http://xml.org/sax/features/namespaces", Boolean.TRUE);
features.put("http://xml.org/sax/features/namespace-prefixes", Boolean.FALSE);
// For security purposes, disable external entities
features.put("http://xml.org/sax/features/external-general-entities", Boolean.FALSE);
features.put("http://xml.org/sax/features/external-parameter-entities", Boolean.FALSE);
}

private final Hashtable features;
private final boolean validating;
private final boolean handleXInclude;
Expand Down Expand Up @@ -112,14 +104,13 @@ public void setFeature(final String key, final boolean val) throws SAXNotRecogni
features.put(key, val ? Boolean.TRUE : Boolean.FALSE);
}

public SAXParser newSAXParser() throws ParserConfigurationException {
public SAXParser newSAXParser() {
final SAXParser ret;
try {
ret = new XercesJAXPSAXParser(this, features, validating, handleXInclude);
} catch (final SAXException se) {
// Translate to ParserConfigurationException
throw new OXFException(se); // so we see a decent stack trace!
// throw new ParserConfigurationException(se.getMessage());
}
return ret;
}
Expand Down

0 comments on commit aba6681

Please sign in to comment.