This is an automated email from the ASF dual-hosted git repository. rombert pushed a commit to annotated tag org.apache.sling.xss-1.0.12 in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-xss.git
commit ff79a088b04bee828ee264dce7c05c171e4ddf5a Author: Bertrand Delacretaz <[email protected]> AuthorDate: Wed Aug 10 09:57:15 2016 +0000 SLING-5954 - Disable non-essential features in XML parser git-svn-id: https://svn.apache.org/repos/asf/sling/trunk/bundles/extensions/xss@1755704 13f79535-47bb-0310-9956-ffa450edef68 --- src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java | 10 ++++++++++ src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java | 4 ++++ 2 files changed, 14 insertions(+) diff --git a/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java b/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java index e0fc15f..b38fde6 100644 --- a/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java +++ b/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java @@ -21,6 +21,7 @@ import java.util.regex.Matcher; import java.util.regex.Pattern; import javax.annotation.Nonnull; +import javax.xml.parsers.ParserConfigurationException; import javax.xml.parsers.SAXParser; import javax.xml.parsers.SAXParserFactory; @@ -43,6 +44,8 @@ import org.owasp.esapi.Validator; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.xml.sax.InputSource; +import org.xml.sax.SAXNotRecognizedException; +import org.xml.sax.SAXNotSupportedException; import org.xml.sax.XMLReader; @Component @@ -65,6 +68,13 @@ public class XSSAPIImpl implements XSSAPI { factory = SAXParserFactory.newInstance(); factory.setValidating(false); factory.setNamespaceAware(true); + try { + factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd";, false); + factory.setFeature("http://xml.org/sax/features/external-parameter-entities";, false); + factory.setFeature("http://xml.org/sax/features/external-general-entities";, false); + } catch (Exception e) { + LOGGER.error("SAX parser configuration error: " + e.getMessage(), e); + } } @Deactivate diff --git a/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java b/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java index e6f3c87..263514e 100644 --- a/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java +++ b/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java @@ -673,6 +673,10 @@ public class XSSAPIImplTest { { "<t><w>xyz</t></w>", RUBBISH_XML + }, + { + "<?xml version=\"1.0\"?><!DOCTYPE test SYSTEM \"http://nonExistentHost:1234/\";><test/>", + "<?xml version=\"1.0\"?><!DOCTYPE test SYSTEM \"http://nonExistentHost:1234/\";><test/>" } }; for (String[] aTestData : testData) { -- To stop receiving notification emails like this one, please contact "[email protected]" <[email protected]>.
