Author: taher
Date: Mon Jun 18 12:23:44 2018
New Revision: 1833708
URL:
http://svn.apache.org/viewvc?rev=1833708&view=revLog:
Improved: improve XML parsing with more restrictive settings
(OFBIZ-10435)
Modified:
ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilXml.java
Modified: ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilXml.java
URL:
http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilXml.java?rev=1833708&r1=1833707&r2=1833708&view=diff==============================================================================
--- ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilXml.java (original)
+++ ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilXml.java Mon Jun 18 12:23:44 2018
@@ -431,6 +431,12 @@ public final class UtilXml {
factory.setAttribute("
http://xml.org/sax/features/validation", validate);
factory.setAttribute("
http://apache.org/xml/features/validation/schema", validate);
+ factory.setFeature("
http://xml.org/sax/features/external-general-entities", false);
+ factory.setFeature("
http://xml.org/sax/features/external-parameter-entities", false);
+ factory.setFeature("
http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+ factory.setXIncludeAware(false);
+ factory.setExpandEntityReferences(false);
+
// with a SchemaUrl, a URL object
DocumentBuilder builder = factory.newDocumentBuilder();
if (validate) {