[jira] [Updated] (TEXT-224) Set SecureProcessing feature in XmlStringLookup by default

Gary D. Gregory (Jira) Sat, 06 May 2023 06:54:05 -0700


     [ 
https://issues.apache.org/jira/browse/TEXT-224?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Gary D. Gregory updated TEXT-224:
---------------------------------
    Summary: Set SecureProcessing feature in XmlStringLookup by default  (was: 
set SecureProcessing feature in XmlStringLookup)

> Set SecureProcessing feature in XmlStringLookup by default
> ----------------------------------------------------------
>
>                 Key: TEXT-224
>                 URL: https://issues.apache.org/jira/browse/TEXT-224
>             Project: Commons Text
>          Issue Type: Task
>    Affects Versions: 1.10.0
>            Reporter: PJ Fanning
>            Priority: Major
>
> https://github.com/apache/commons-text/blob/master/src/main/java/org/apache/commons/text/lookup/XmlStringLookup.java
> We could set this:
> xpf.[setFeature|https://docs.oracle.com/javase/8/docs/api/javax/xml/xpath/XPathFactory.html](XMLConstants.FEATURE_SECURE_PROCESSING,
>  Boolean.TRUE);
>  
> There is more that could be done but this feature would probably be clean 
> enough to roll out - compared to other options like pre-loading the XML using 
> a DocumentBuilder that might be configured to disable External Entities or 
> DTD loading generally.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (TEXT-224) Set SecureProcessing feature in XmlStringLookup by default

Reply via email to