ppkarwasz opened a new pull request, #11: URL: https://github.com/apache/commons-xml/pull/11
Applies the COMMONSXML-1 capability-driven approach to the SAX path, replacing the per-implementation class-name dispatch for `SAXParserFactory` and `XMLReader` with a single `SAXParserHardener`. - `harden(SAXParserFactory)` sets FSP and wraps the factory in the now-universal `HardeningSAXParserFactory`; `hardenReader(XMLReader)` applies the limits, skips the external DTD subset where supported, and probes `ACCESS_EXTERNAL_*` (bare reader when honoured, deny-all `EntityResolver` otherwise). - `HardeningSAXParserFactory` returns a `HardeningSAXParser` exposing both the hardened `XMLReader` and a matching SAX 1 `Parser`, so either access path is hardened. - `StockJdkProvider`/`XercesProvider` lose their SAX recipes; `Limits` gains `tryApply(XMLReader)`; `JaxpSetters` gains `setOptionalFeature(XMLReader)` / `trySetProperty(XMLReader)`. `AndroidProvider` is removed. - Android/Expat keeps a documented class-name exception with two fixups: a subset-aware deny-all resolver (fail on external entities, allow an unused external subset) and an `ExpatReaderWrapper` that rejects `namespace-prefixes` eagerly. Android DOM (KXmlParser) stays a pass-through. **Behaviour change:** the returned `SAXParserFactory` no longer forces namespace awareness (the previous recipes did); it is left to the caller. `XmlFactories.harden(Source)` sets it where the schema/XSLT/validator source paths need it. **Tests:** adds `SchemaLocationSaxTest` and a SAX case in `UnsupportedXmlImplementationTest`; SAX attack assertions remain strict (Android still blocks). `mvn verify` green across stock JDK and external Xerces; the Android/Expat fixups still need a run on the api33 managed device. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
