[
https://issues.apache.org/jira/browse/TEXT-224?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Gary D. Gregory resolved TEXT-224.
----------------------------------
Fix Version/s: 1.10.1
Assignee: Gary D. Gregory
Resolution: Fixed
[~pj.fanning]
Done in git master and snapshot build. Please validate your use case and close.
> Set SecureProcessing feature in XmlStringLookup by default
> ----------------------------------------------------------
>
> Key: TEXT-224
> URL: https://issues.apache.org/jira/browse/TEXT-224
> Project: Commons Text
> Issue Type: Task
> Affects Versions: 1.10.0
> Reporter: PJ Fanning
> Assignee: Gary D. Gregory
> Priority: Major
> Fix For: 1.10.1
>
>
> https://github.com/apache/commons-text/blob/master/src/main/java/org/apache/commons/text/lookup/XmlStringLookup.java
> We could set this:
> xpf.[setFeature|https://docs.oracle.com/javase/8/docs/api/javax/xml/xpath/XPathFactory.html](XMLConstants.FEATURE_SECURE_PROCESSING,
> Boolean.TRUE);
>
> There is more that could be done but this feature would probably be clean
> enough to roll out - compared to other options like pre-loading the XML using
> a DocumentBuilder that might be configured to disable External Entities or
> DTD loading generally.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
