Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Disallowing XML external entities in Java SAXParserFactory
import javax.xml.parsers.ParserConfigurationException; // catching unsupported features
import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
import org.xml.sax.SAXNotRecognizedException; // catching unknown features
import org.xml.sax.SAXNotSupportedException; // catching known but unsupported features
import org.xml.sax.XMLReader;
SAXParserFactory spf = SAXParserFactory.newInstance();
SAXParser saxParser = spf.newSAXParser();
XMLReader reader = saxParser.getXMLReader();
try {
// Xerces 1 -
// Xerces 2 -
// Using the SAXParserFactory's setFeature
spf.setFeature("", false);
// Using the XMLReader's setFeature
reader.setFeature("", false);
// Xerces 2 only -
spf.setFeature("", false);
// remaining parser logic
} catch (ParserConfigurationException e) {
// Tried an unsupported feature.
} catch (SAXNotRecognizedException e) {
// Tried an unknown feature.
} catch (SAXNotSupportedException e) {
// Tried a feature known to the parser but unsupported.
} catch ... {

This comment has been minimized.

Copy link

syllant commented Apr 9, 2015

Jon, you should delete or fix this code which is incorrect :) Line 26 should be:

spf.setFeature("", true);



Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.