Uploaded image for project: 'Commons Jelly'
  1. Commons Jelly
  2. JELLY-293

Accommodate toggling off DTD external entities.

VotersWatch issueWatchersLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 1.0
    • 1.0.1
    • core / taglib.core
    • None

    Description

      We want the ability to configure whether or not jelly files can be declared such that the doctype definition at the beginning of the XML can call out to external entities under the parsing by SAX in the xerces project.

      The suggested fix is to add

      if (!allowDtdToCallExternalEntities) {
          reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
          reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
          reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
      }
      

      immediately following this line: https://github.com/apache/commons-jelly/blob/commons-jelly-1.0/src/java/org/apache/commons/jelly/parser/XMLParser.java#L496

      Attachments

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            chtompki Rob Tompkins
            chtompki Rob Tompkins
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment