Skip to content

anonymous /gist:5599156

Embed URL

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Disallowing XML external entities in Java DocumentBuilderFactory.
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException; // catching unsupported features
...
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
try {
// Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-general-entities
// Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-general-entities
dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
// Xerces 2 only - http://xerces.apache.org/xerces-j/features.html#external-general-entities
dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false);
// remaining parser logic
...
} catch (ParserConfigurationException e) {
// Tried an unsupported feature. This may indicate that a different XML processor is being
// used. If so, then its features need to be researched and applied correctly.
// For example, using the Xerces 2 feature above on a Xerces 1 processor will throw this
// exception.
} catch ... {
}
...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.