[jira] [Updated] (TEXT-224) set SecureProcessing feature in XmlStringLookup

Sat, 06 May 2023 06:18:05 -0700 


     [ 
https://issues.apache.org/jira/browse/TEXT-224?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Gary D. Gregory updated TEXT-224:
---------------------------------
    Description: 
https://github.com/apache/commons-text/blob/master/src/main/java/org/apache/commons/text/lookup/XmlStringLookup.java

We could set this:

xpf.[setFeature|https://docs.oracle.com/javase/8/docs/api/javax/xml/xpath/XPathFactory.html](XMLConstants.FEATURE_SECURE_PROCESSING,
 Boolean.TRUE);

 

There is more that could be done but this feature would probably be clean 
enough to roll out - compared to other options like pre-loading the XML using a 
DocumentBuilder that might be configured to disable External Entities or DTD 
loading generally.

  was:
https://github.com/apache/commons-text/blob/master/src/main/java/org/apache/commons/text/lookup/XmlStringLookup.java

We could set this:

xpf.[setFeature|https://www.tabnine.com/code/java/methods/javax.xml.xpath.XPathFactory/setFeature](XMLConstants.FEATURE_SECURE_PROCESSING,
 Boolean.TRUE);

 

There is more that could be done but this feature would probably be clean 
enough to roll out - compared to other options like pre-loading the XML using a 
DocumentBuilder that might be configured to disable External Entities or DTD 
loading generally.


> set SecureProcessing feature in XmlStringLookup
> -----------------------------------------------
>
>                 Key: TEXT-224
>                 URL: https://issues.apache.org/jira/browse/TEXT-224
>             Project: Commons Text
>          Issue Type: Task
>    Affects Versions: 1.10.0
>            Reporter: PJ Fanning
>            Priority: Major
>
> https://github.com/apache/commons-text/blob/master/src/main/java/org/apache/commons/text/lookup/XmlStringLookup.java
> We could set this:
> xpf.[setFeature|https://docs.oracle.com/javase/8/docs/api/javax/xml/xpath/XPathFactory.html](XMLConstants.FEATURE_SECURE_PROCESSING,
>  Boolean.TRUE);
>  
> There is more that could be done but this feature would probably be clean 
> enough to roll out - compared to other options like pre-loading the XML using 
> a DocumentBuilder that might be configured to disable External Entities or 
> DTD loading generally.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to