Fix more xxe prevention

1 files changed, 15 insertions, 0 deletions

diff --git a/vespajlib/src/main/java/com/yahoo/text/XML.java b/vespajlib/src/main/java/com/yahoo/text/XML.java
index a6e36a0c3e1..72a2dba54e1 100644
--- a/vespajlib/src/main/java/com/yahoo/text/XML.java
+++ b/vespajlib/src/main/java/com/yahoo/text/XML.java
@@ -9,9 +9,11 @@ import org.xml.sax.InputSource;
 import org.xml.sax.SAXException;
 import org.xml.sax.SAXParseException;
 
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
+import javax.xml.transform.TransformerFactory;
 import java.io.File;
 import java.io.IOException;
 import java.io.Reader;
@@ -446,6 +448,19 @@ public class XML {
     }
 
     /**
+     * Creates a new XML TransformerFactory.
+     *
+     * @return a TransformerFactory
+     */
+    public static TransformerFactory createTransformerFactory() {
+        TransformerFactory transformerFactory = TransformerFactory.newInstance();
+        transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+        transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+        return transformerFactory;
+    }
+
+
+    /**
      * The point of this weird class and the jumble of abstract methods is
      * linking the scan for characters that must be quoted into the quoting
      * table, and making it actual work to make them go out of sync again.