pjfanning commented on issue #5804:
URL: https://github.com/apache/hop/issues/5804#issuecomment-3385653944
@mattcasters these settings are more important
```
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException; // catching
unsupported features
import javax.xml.XMLConstants;
...
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
String[] featuresToDisable = {
// Xerces 1 -
http://xerces.apache.org/xerces-j/features.html#external-general-entities
// Xerces 2 -
http://xerces.apache.org/xerces2-j/features.html#external-general-entities
// JDK7+ - http://xml.org/sax/features/external-general-entities
//This feature has to be used together with the following one, otherwise
it will not protect you from XXE for sure
"http://xml.org/sax/features/external-general-entities";,
// Xerces 1 -
http://xerces.apache.org/xerces-j/features.html#external-parameter-entities
// Xerces 2 -
http://xerces.apache.org/xerces2-j/features.html#external-parameter-entities
// JDK7+ - http://xml.org/sax/features/external-parameter-entities
//This feature has to be used together with the previous one, otherwise
it will not protect you from XXE for sure
"http://xml.org/sax/features/external-parameter-entities";,
// Disable external DTDs as well
"http://apache.org/xml/features/nonvalidating/load-external-dtd";
}
for (String feature : featuresToDisable) {
try {
dbf.setFeature(FEATURE, false);
} catch (ParserConfigurationException e) {
// This should catch a failed setFeature feature
logger.info("ParserConfigurationException was thrown. The feature '"
+ feature
+ "' is probably not supported by your XML processor.");
...
}
}
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
