Uploaded image for project: 'Batik'
  1. Batik
  2. BATIK-1113

Hard to solve XML External Entities problem

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.8
    • Fix Version/s: None
    • Component/s: SVG DOM
    • Labels:
      None

      Description

      Even if one agrees with the sentiments expressed in the comments of BATIK-1018, it should be possible to turn off XML external entity processing without subclassing Batik classes.

      Take for example SAXSVGDocumentFactory, which extends SAXDocumentFactory. When it comes time to parse the SVG in Document createDocument(InputSource is), line 401 of SAXDocumentFacotry, the code uses either a String classname to instantiate the parser, or an internal static factory with package visibility.
      Therefore, the only way to create a parser is to subclass SAXDocumentFactory, override createDocument, and create your own parser, so that it can be configured to not process XEE.

      Any class that parses XML should either:

      • provide a public accessor method to access the default parser factory
      • allow passing in a parser factory
      • allow passing in a parser factory class name (less than ideal, requires user to write their own parser factory)
      • allow passing in a parser instance

      In the case of SAXDocumentFactory, a simple public static SAXParserFactory getDefaultParserFactory() would have obviated the need to subclass.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                tony.benbrahim Tony BenBrahim
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: