diff options
author | Morten Tokle <mortent@yahooinc.com> | 2023-12-18 15:35:09 +0100 |
---|---|---|
committer | Morten Tokle <mortent@yahooinc.com> | 2023-12-19 14:11:05 +0100 |
commit | b6368d66d4169e93c98df5fc6fe4df7cc9986c8b (patch) | |
tree | 29e625fb74ef12d55d1c1fa3af3d31cf1db4d8e9 /vespajlib/src | |
parent | 8936f5e5a97f810fc82a80d12c8ab91823120d66 (diff) |
Fix more xxe prevention
Diffstat (limited to 'vespajlib/src')
-rw-r--r-- | vespajlib/src/main/java/com/yahoo/text/XML.java | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/vespajlib/src/main/java/com/yahoo/text/XML.java b/vespajlib/src/main/java/com/yahoo/text/XML.java index a6e36a0c3e1..72a2dba54e1 100644 --- a/vespajlib/src/main/java/com/yahoo/text/XML.java +++ b/vespajlib/src/main/java/com/yahoo/text/XML.java @@ -9,9 +9,11 @@ import org.xml.sax.InputSource; import org.xml.sax.SAXException; import org.xml.sax.SAXParseException; +import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; +import javax.xml.transform.TransformerFactory; import java.io.File; import java.io.IOException; import java.io.Reader; @@ -446,6 +448,19 @@ public class XML { } /** + * Creates a new XML TransformerFactory. + * + * @return a TransformerFactory + */ + public static TransformerFactory createTransformerFactory() { + TransformerFactory transformerFactory = TransformerFactory.newInstance(); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + return transformerFactory; + } + + + /** * The point of this weird class and the jumble of abstract methods is * linking the scan for characters that must be quoted into the quoting * table, and making it actual work to make them go out of sync again. |