Hello,
I am somewhat lost on how to enable or control the secure processing in the
XMLReader.
You can use XMLConstants.FEATURE_SECURE_PROCESSING and/or
XMLConstants.ACCESS_EXTERNAL_{DTD,SCHEMA} only on the SAXParserFactory, but
not XMLReader(Factory).
Is this an oversight or am I missing something?
This seems to be a work around (at least for Oracle RI):
SAXParserFactory spf = SAXParserFactory.newInstance();
spf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
SAXParser parser = spf.newSAXParser();
System.out.println("external dtd: " +
parser.getProperty(XMLConstants.ACCESS_EXTERNAL_DTD));
XMLReader reader = parser.getXMLReader();
In this case the protocols is "all" for FSP=false and "" for FSP=true.
XMLConstants Javadoc does not talk about XMLReader, hm.
BTW: while investigating I noticed the changed default for secure
processing is not reflected by the comment:
com.sun.org.apache.xerces.internal.jaxp.SAXParserFactoryImpl.java
/**
L64* State of the secure processing feature, initially <code>false</code>
*/
private boolean fSecureProcess = true;
http://hg.openjdk.java.net/jdk9/jdk9/jaxp/file/6d980e959726/src/java.xml/share/classes/com/sun/org/apache/xerces/internal/jaxp/SAXParserFactoryImpl.java#l64
Gruss
Bernd
