stevedlawrence commented on pull request #560: URL: https://github.com/apache/daffodil/pull/560#issuecomment-847797937
Had one more though, this mostly changes how we parse things like TDML files, DFDL Schemas, etc. But I *think* it leaves out some of the InfosetInputters? I assume the Scala, JDOM, and W3CDOM don't have these security issues since the XML was parsed into these data structures and so are safe to use. But the XMLTextInfosetInputter and JSON use the woodstox and jackson libraries, respectively. Neither of these use an XMLReader of parse. The XML one is StAX which uses a different API. And the JSON one is custom, but similar to StAX. It looks like the Woodstox StAX properties are defined in three blog posts: https://cowtowncoder.medium.com/configuring-woodstox-xml-parser-basic-stax-properties-39bdf88c18ec https://cowtowncoder.medium.com/configuring-woodstox-xml-parser-stax2-properties-c80ef5a32ef1 https://cowtowncoder.medium.com/configuring-woodstox-xml-parser-woodstox-specific-properties-1ce5030a5173 I think these are the javadocs for what an XMLInputFactory supports: https://docs.oracle.com/javase/6/docs/api/javax/xml/stream/XMLInputFactory.html https://fasterxml.github.io/woodstox/javadoc/6.2/com/ctc/wstx/api/WstxInputProperties.html Do we need to set something similar for these? Could probably be done in a separate bug/Pr if you want. This one is getting kind of big. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
