Uploaded image for project: 'Batik'
  1. Batik
  2. BATIK-1113

Hard to solve XML External Entities problem

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 1.8
    • None
    • SVG DOM
    • None

    Description

      Even if one agrees with the sentiments expressed in the comments of BATIK-1018, it should be possible to turn off XML external entity processing without subclassing Batik classes.

      Take for example SAXSVGDocumentFactory, which extends SAXDocumentFactory. When it comes time to parse the SVG in Document createDocument(InputSource is), line 401 of SAXDocumentFacotry, the code uses either a String classname to instantiate the parser, or an internal static factory with package visibility.
      Therefore, the only way to create a parser is to subclass SAXDocumentFactory, override createDocument, and create your own parser, so that it can be configured to not process XEE.

      Any class that parses XML should either:

      • provide a public accessor method to access the default parser factory
      • allow passing in a parser factory
      • allow passing in a parser factory class name (less than ideal, requires user to write their own parser factory)
      • allow passing in a parser instance

      In the case of SAXDocumentFactory, a simple public static SAXParserFactory getDefaultParserFactory() would have obviated the need to subclass.

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              tony.benbrahim Tony BenBrahim
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: