mbeckerle commented on a change in pull request #560:
URL: https://github.com/apache/daffodil/pull/560#discussion_r639776727
##########
File path:
daffodil-japi/src/test/java/org/apache/daffodil/example/TestJavaAPI.java
##########
@@ -48,9 +49,31 @@
import org.apache.daffodil.japi.logger.ConsoleLogWriter;
import org.apache.daffodil.japi.logger.LogLevel;
import org.apache.daffodil.japi.io.InputSourceDataInputStream;
+import org.xml.sax.SAXNotRecognizedException;
+import org.xml.sax.SAXNotSupportedException;
+import org.xml.sax.XMLReader;
+
+import javax.xml.XMLConstants;
public class TestJavaAPI {
+ /**
+ * Best practices for XML loading are to turn off anything that could lead
to
+ * insecurity.
+ *
+ * This is probably unnecessary in the case of these tests, but as these
tests
+ * are also used to illustrate API usage, this exemplifies best practice.
+ */
+ public static void setSecureDefaults(XMLReader xmlReader)
+ throws SAXNotSupportedException, SAXNotRecognizedException {
+ xmlReader.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+ // since we're not really sure what they mean by secure processing
+ // we make doubly sure by setting these ourselves also.
+
xmlReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl";,
true);
+
xmlReader.setFeature("http://xml.org/sax/features/external-parameter-entities";,
false);
+
xmlReader.setFeature("http://xml.org/sax/features/external-general-entities";,
false);
+ }
+
Review comment:
Agreed.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
