[JELLY-293] Accommodate toggling off DTD external entities. - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 1.0
Fix Version/s: 1.0.1
Component/s: core / taglib.core
Labels:
None

Description

We want the ability to configure whether or not jelly files can be declared such that the doctype definition at the beginning of the XML can call out to external entities under the parsing by SAX in the xerces project.

The suggested fix is to add

if (!allowDtdToCallExternalEntities) {
    reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
    reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
    reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
}

immediately following this line: https://github.com/apache/commons-jelly/blob/commons-jelly-1.0/src/java/org/apache/commons/jelly/parser/XMLParser.java#L496

Attachments

Activity

People

Assignee:: Rob Tompkins

Reporter:: Rob Tompkins

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 24/Aug/17 10:53

Updated:: 26/Sep/17 12:19

Resolved:: 29/Aug/17 13:39