[TEXT-224] Set SecureProcessing feature in XmlStringLookup by default - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Task
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 1.10.0
Fix Version/s: 1.11.0
Labels:
None

Description

https://github.com/apache/commons-text/blob/master/src/main/java/org/apache/commons/text/lookup/XmlStringLookup.java

We could set this:

xpf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);

There is more that could be done but this feature would probably be clean enough to roll out - compared to other options like pre-loading the XML using a DocumentBuilder that might be configured to disable External Entities or DTD loading generally.

Attachments

Activity

People

Assignee:: Gary D. Gregory

Reporter:: PJ Fanning

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 05/May/23 19:41

Updated:: 06/May/23 13:59

Resolved:: 06/May/23 13:59