hansva commented on issue #2744: URL: https://github.com/apache/hop/issues/2744#issuecomment-1612712984
Hi Gabriel, This Issue has been migrated from Jira so I'm not the actual owner. That being said I do know where the error comes from. This is a sample XML file that will generate the "problem" (which actually is not a problem but a well considered action on our side) [xml-with-doctype.txt](https://github.com/apache/hop/files/11904172/xml-with-doctype.txt) The problem probably comes from following line in our [XmlParserFactoryProducer](https://github.com/apache/hop/blob/c2ce039b38266dfa4718212e92edf6972e74afc8/core/src/main/java/org/apache/hop/core/xml/XmlParserFactoryProducer.java#L44) or from Dom4JUtil.java. My idea for a possible solution would be to add an extra tab named "Security" next to the Fields tab in the Get data from XML transform: <img width="988" alt="Screenshot 2023-06-29 at 11 30 55" src="https://github.com/apache/hop/assets/1140235/8345fd60-f975-4052-8e96-bb321bc9a28d";> There the user should be able to disable specific security features such as the `disallow-doctype-decl` or `load-external-dtd` It can not be a general lowering of the security measures we put in place to avoid external code execution. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
