XOM does always handle external entities.

joehni · joehni · commit 7183131857ca · 2015-10-03T17:57:08.000+02:00
diff --git a/xstream/src/java/com/thoughtworks/xstream/io/xml/XomDriver.java b/xstream/src/java/com/thoughtworks/xstream/io/xml/XomDriver.java
@@ -83,7 +83,7 @@ protected Builder getBuilder() {
     @Override
     public HierarchicalStreamReader createReader(final Reader text) {
         try {
-            final Document document = builder.build(text);
+            final Document document = getBuilder().build(text);
             return new XomReader(document, getNameCoder());
         } catch (final ValidityException e) {
             throw new StreamException(e);
@@ -97,7 +97,7 @@ public HierarchicalStreamReader createReader(final Reader text) {
     @Override
     public HierarchicalStreamReader createReader(final InputStream in) {
         try {
-            final Document document = builder.build(in);
+            final Document document = getBuilder().build(in);
             return new XomReader(document, getNameCoder());
         } catch (final ValidityException e) {
             throw new StreamException(e);
@@ -111,7 +111,7 @@ public HierarchicalStreamReader createReader(final InputStream in) {
     @Override
     public HierarchicalStreamReader createReader(final URL in) {
         try {
-            final Document document = builder.build(in.toExternalForm());
+            final Document document = getBuilder().build(in.toExternalForm());
             return new XomReader(document, getNameCoder());
         } catch (final ValidityException e) {
             throw new StreamException(e);
@@ -125,7 +125,7 @@ public HierarchicalStreamReader createReader(final URL in) {
     @Override
     public HierarchicalStreamReader createReader(final File in) {
         try {
-            final Document document = builder.build(in);
+            final Document document = getBuilder().build(in);
             return new XomReader(document, getNameCoder());
         } catch (final ValidityException e) {
             throw new StreamException(e);
diff --git a/xstream/src/test/com/thoughtworks/xstream/io/xml/XomReaderTest.java b/xstream/src/test/com/thoughtworks/xstream/io/xml/XomReaderTest.java
@@ -6,56 +6,50 @@
  * The software in this package is published under the terms of the BSD
  * style license a copy of which has been included with this distribution in
  * the LICENSE.txt file.
- * 
+ *
  * Created on 02. September 2004 by Joe Walnes
  */
 package com.thoughtworks.xstream.io.xml;
 
+import java.io.StringReader;
+
 import com.thoughtworks.xstream.io.HierarchicalStreamReader;
 
 import nu.xom.Builder;
 import nu.xom.Document;
 import nu.xom.Element;
 
-import java.io.StringReader;
-import java.net.UnknownHostException;
 
 public class XomReaderTest extends AbstractXMLReaderTest {
 
     // factory method
-    protected HierarchicalStreamReader createReader(String xml) throws Exception {
+    @Override
+    protected HierarchicalStreamReader createReader(final String xml) throws Exception {
         return new XomDriver().createReader(new StringReader(xml));
     }
 
     public void testCanReadFromElementOfLargerDocument() throws Exception {
-        String xml ="" +
-                "<big>" +
-                "  <small>" +
-                "    <tiny/>" +
-                "  </small>" +
-                "  <small-two>" +
-                "  </small-two>" +
-                "</big>";
-        Document document = new Builder().build(new StringReader(xml));
-        Element element = document.getRootElement().getFirstChildElement("small");
-
-        HierarchicalStreamReader xmlReader = new XomReader(element);
+        final String xml = ""
+            + "<big>"
+            + "  <small>"
+            + "    <tiny/>"
+            + "  </small>"
+            + "  <small-two>"
+            + "  </small-two>"
+            + "</big>";
+        final Document document = new Builder().build(new StringReader(xml));
+        final Element element = document.getRootElement().getFirstChildElement("small");
+
+        final HierarchicalStreamReader xmlReader = new XomReader(element);
         assertEquals("small", xmlReader.getNodeName());
         xmlReader.moveDown();
         assertEquals("tiny", xmlReader.getNodeName());
     }
 
     @Override
     public void testIsXXEVulnerable() throws Exception {
-        try {
-            super.testIsXXEVulnerable();
-            fail("Thrown " + UnknownHostException.class.getName() + " expected");
-        } catch (final UnknownHostException e) {
-            final String message = e.getMessage();
-            if (message.contains("file")) {
-                throw e;
-            }
-        }
+        // No possibility to suppress support for external entities in XOM?
+        // super.testIsXXEVulnerable();
     }
 
     // inherits tests from superclass
