[cxf] branch master updated: Disable DocTypes for the SAXParserFactory instances

Thu, 22 Nov 2018 06:39:11 -0800 

This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cxf.git


The following commit(s) were added to refs/heads/master by this push:
     new 3d726f8  Disable DocTypes for the SAXParserFactory instances
3d726f8 is described below

commit 3d726f878561dfdb12a7ceef895487939fe12951
Author: Colm O hEigeartaigh <[email protected]>
AuthorDate: Thu Nov 22 14:38:38 2018 +0000

    Disable DocTypes for the SAXParserFactory instances
---
 core/src/main/java/org/apache/cxf/bus/spring/TunedDocumentLoader.java   | 2 ++
 .../java/org/apache/cxf/tools/validator/internal/SchemaValidator.java   | 1 +
 2 files changed, 3 insertions(+)

diff --git 
a/core/src/main/java/org/apache/cxf/bus/spring/TunedDocumentLoader.java 
b/core/src/main/java/org/apache/cxf/bus/spring/TunedDocumentLoader.java
index 8951d4c..9b9b26b 100644
--- a/core/src/main/java/org/apache/cxf/bus/spring/TunedDocumentLoader.java
+++ b/core/src/main/java/org/apache/cxf/bus/spring/TunedDocumentLoader.java
@@ -90,6 +90,8 @@ class TunedDocumentLoader extends DefaultDocumentLoader {
                                            true);
             
saxParserFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, 
Boolean.TRUE);
             
nsasaxParserFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, 
Boolean.TRUE);
+            
saxParserFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl";,
 true);
+            
nsasaxParserFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl";,
 true);
         } catch (Throwable e) {
             //ignore
         }
diff --git 
a/tools/validator/src/main/java/org/apache/cxf/tools/validator/internal/SchemaValidator.java
 
b/tools/validator/src/main/java/org/apache/cxf/tools/validator/internal/SchemaValidator.java
index c6d5148..e3c2ba1 100644
--- 
a/tools/validator/src/main/java/org/apache/cxf/tools/validator/internal/SchemaValidator.java
+++ 
b/tools/validator/src/main/java/org/apache/cxf/tools/validator/internal/SchemaValidator.java
@@ -186,6 +186,7 @@ public class SchemaValidator extends 
AbstractDefinitionValidator {
             SAXParserFactory saxFactory = SAXParserFactory.newInstance();
             saxFactory.setFeature("http://xml.org/sax/features/namespaces";, 
true);
             saxFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, 
Boolean.TRUE);
+            
saxFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, 
true);
             saxParser = saxFactory.newSAXParser();
 
             if (defaultSchemas != null) {

Reply via email to