[GitHub] [daffodil] stevedlawrence commented on a change in pull request #560: Verify that we get errors if the files contain a DOCTYPE

Mon, 24 May 2021 13:19:24 -0700 


stevedlawrence commented on a change in pull request #560:
URL: https://github.com/apache/daffodil/pull/560#discussion_r638247045



##########
File path: 
daffodil-japi/src/test/java/org/apache/daffodil/example/TestJavaAPI.java
##########
@@ -48,9 +49,31 @@
 import org.apache.daffodil.japi.logger.ConsoleLogWriter;
 import org.apache.daffodil.japi.logger.LogLevel;
 import org.apache.daffodil.japi.io.InputSourceDataInputStream;
+import org.xml.sax.SAXNotRecognizedException;
+import org.xml.sax.SAXNotSupportedException;
+import org.xml.sax.XMLReader;
+
+import javax.xml.XMLConstants;
 
 public class TestJavaAPI {
 
+    /**
+     * Best practices for XML loading are to turn off anything that could lead 
to
+     * insecurity.
+     *
+     * This is probably unnecessary in the case of these tests, but as these 
tests
+     * are also used to illustrate API usage, this exemplifies best practice.
+     */
+    public static void setSecureDefaults(XMLReader xmlReader)
+            throws SAXNotSupportedException, SAXNotRecognizedException {
+        xmlReader.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+        // since we're not really sure what they mean by secure processing
+        // we make doubly sure by setting these ourselves also.
+        
xmlReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, 
true);
+        
xmlReader.setFeature("http://xml.org/sax/features/external-parameter-entities";, 
false);
+        
xmlReader.setFeature("http://xml.org/sax/features/external-general-entities";, 
false);
+    }
+

Review comment:
       I'm not sure if this is officially, but, I only think of things in 
japi/sapi as being part of the public API. Other public classes/functions 
people can use, but they aren't neesssarily stable and we won't make an attempt 
at backwards compatibility.
   
   Since XMLUtils isn't part of sapi/japi, I would prefer that we not use it in 
japi/sapi tests since we often point people towards these tests for how to use 
API. That way we aren't suggesting the use of non public API.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to