ppkarwasz opened a new pull request, #11:
URL: https://github.com/apache/commons-xml/pull/11

   Applies the COMMONSXML-1 capability-driven approach to the SAX path, 
replacing the per-implementation class-name dispatch for `SAXParserFactory` and 
`XMLReader` with a single `SAXParserHardener`.
   
   - `harden(SAXParserFactory)` sets FSP and wraps the factory in the 
now-universal `HardeningSAXParserFactory`; `hardenReader(XMLReader)` applies 
the limits, skips the external DTD subset where supported, and probes 
`ACCESS_EXTERNAL_*` (bare reader when honoured, deny-all `EntityResolver` 
otherwise).
   - `HardeningSAXParserFactory` returns a `HardeningSAXParser` exposing both 
the hardened `XMLReader` and a matching SAX 1 `Parser`, so either access path 
is hardened.
   - `StockJdkProvider`/`XercesProvider` lose their SAX recipes; `Limits` gains 
`tryApply(XMLReader)`; `JaxpSetters` gains `setOptionalFeature(XMLReader)` / 
`trySetProperty(XMLReader)`. `AndroidProvider` is removed.
   - Android/Expat keeps a documented class-name exception with two fixups: a 
subset-aware deny-all resolver (fail on external entities, allow an unused 
external subset) and an `ExpatReaderWrapper` that rejects `namespace-prefixes` 
eagerly. Android DOM (KXmlParser) stays a pass-through.
   
   **Behaviour change:** the returned `SAXParserFactory` no longer forces 
namespace awareness (the previous recipes did); it is left to the caller. 
`XmlFactories.harden(Source)` sets it where the schema/XSLT/validator source 
paths need it.
   
   **Tests:** adds `SchemaLocationSaxTest` and a SAX case in 
`UnsupportedXmlImplementationTest`; SAX attack assertions remain strict 
(Android still blocks). `mvn verify` green across stock JDK and external 
Xerces; the Android/Expat fixups still need a run on the api33 managed device.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to