Even if one agrees with the sentiments expressed in the comments of
BATIK-1018, it should be possible to turn off XML external entity processing without subclassing Batik classes.
Take for example SAXSVGDocumentFactory, which extends SAXDocumentFactory. When it comes time to parse the SVG in Document createDocument(InputSource is), line 401 of SAXDocumentFacotry, the code uses either a String classname to instantiate the parser, or an internal static factory with package visibility.
Therefore, the only way to create a parser is to subclass SAXDocumentFactory, override createDocument, and create your own parser, so that it can be configured to not process XEE.
Any class that parses XML should either:
- provide a public accessor method to access the default parser factory
- allow passing in a parser factory
- allow passing in a parser factory class name (less than ideal, requires user to write their own parser factory)
- allow passing in a parser instance
In the case of SAXDocumentFactory, a simple public static SAXParserFactory getDefaultParserFactory() would have obviated the need to subclass.