ppkarwasz commented on code in PR #5:
URL: https://github.com/apache/commons-xml/pull/5#discussion_r3448769830
##########
src/main/java/org/apache/commons/xml/Limits.java:
##########
@@ -231,10 +236,21 @@ final class Limits {
}
/**
- * Sets every JDK-supported limit on a stock JDK {@link
DocumentBuilderFactory}
- */
- static void applyToJdkDom(final DocumentBuilderFactory factory) {
- JDK_LIMITS.forEach((name, supplier) -> setAttribute(factory, name,
Integer.toString(supplier.getAsInt())));
+ * Best-effort application of the processing limits to a {@link
DocumentBuilderFactory}, dispatched on the implementation.
+ *
+ * <p>External Xerces carries its limits on an {@code
org.apache.xerces.util.SecurityManager} instance; every other implementation
(the stock JDK and any
Review Comment:
Fixed in 8097b2a16611600cfb1d24d68c481f4ea7115343 .
##########
src/main/java/org/apache/commons/xml/XercesProvider.java:
##########
@@ -39,7 +35,7 @@
* Hardening recipes for the external Apache Xerces distribution (the {@code
xerces:xercesImpl} artifact).
*
* <p>Factory classes live in the {@code org.apache.xerces.*} package.
External Xerces does not ship a {@code TransformerFactory}, {@code
XMLInputFactory} or
- * {@code XPathFactory}, so this class only handles DOM, SAX and Schema
factories.</p>
+ * {@code XPathFactory}, so this class only handles SAX and Schema factories;
DOM hardening lives in {@link DocumentBuilderHardener}.</p>
Review Comment:
Fixed in 8097b2a16611600cfb1d24d68c481f4ea7115343 .
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
