Skip to content

Commit a3c4b35

Browse files
Improved setup for XML parsing (#1284)
1 parent c4ef730 commit a3c4b35

1 file changed

Lines changed: 9 additions & 1 deletion

File tree

server/bootstrap/src/org/labkey/bootstrap/ModuleArchive.java

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,7 @@
1919
import org.xml.sax.SAXException;
2020
import org.xml.sax.helpers.DefaultHandler;
2121

22+
import javax.xml.XMLConstants;
2223
import javax.xml.parsers.ParserConfigurationException;
2324
import javax.xml.parsers.SAXParser;
2425
import javax.xml.parsers.SAXParserFactory;
@@ -71,7 +72,14 @@ private String nameFromModuleXML(InputStream is) throws IOException
7172

7273
try
7374
{
74-
SAXParser parser = SAXParserFactory.newDefaultInstance().newSAXParser();
75+
// Keep this in sync with config on XmlBeansUtil.SAX_PARSER_FACTORY. See motiviations in comments there.
76+
SAXParserFactory factory = SAXParserFactory.newDefaultInstance();
77+
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
78+
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
79+
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
80+
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
81+
82+
SAXParser parser = factory.newSAXParser();
7583
parser.parse(is, new DefaultHandler()
7684
{
7785
final ArrayList<String> elementStack = new ArrayList<>();

0 commit comments

Comments
 (0)