[WW-5252] Completely disable external entities declarations in XML config - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 6.1.1
Component/s: XML Configuration
Labels:
None

Description

Reported by Sonar

https://sonarcloud.io/project/issues?id=apache_struts&issues=AW_X5AiQ1FYS5oU8LTA8&open=AW_X5AiQ1FYS5oU8LTA8

SAXParserFactory factory = SAXParserFactory.newInstance();
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);

https://sonarcloud.io/project/issues?id=apache_struts&issues=AXFGIxd5s40Y9j2_QZHd&open=AXFGIxd5s40Y9j2_QZHd

TransformerFactory factory = javax.xml.transform.TransformerFactory.newInstance();
// to be compliant, prohibit the use of all protocols by external entities:
factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");

Attachments

Issue Links

links to

GitHub Pull Request #628

Activity

People

Assignee:: Unassigned

Reporter:: Lukasz Lenart

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 25/Oct/22 11:21

Updated:: 26/Jan/23 12:26

Resolved:: 02/Nov/22 09:32

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

40m