Since message builders are configurable, a user already has the option to replace ApplicationXMLBuilder by an alternative (and insecure!) implementation.
Andreas On Sat, Jan 22, 2011 at 08:30, Supun Kamburugamuva <[email protected]> wrote: > If this is handled at the Axiom layer why are we throwing this > exception? Shouldn't we let the user control this behavior, without > always throwing an exception? > > Thanks, > Supun.. > > On Fri, Jan 21, 2011 at 1:29 PM, Miyuru Wanninayaka <[email protected]> > wrote: >> Hi all, >> >> I'm trying to process XML response from a POX service which return XML >> response with DOCTYPE declarations and it fails with >> "javax.xml.stream.XMLStreamException: DOCTYPE is not allowed exception". >> Reason for this is DisallowDoctypeDeclStreamReaderWrapper throws a >> XMLStreamException when DTD element found. I think this is done to fix >> security vlunarability CVE-2010-1632. >> >> AFIK setting javax.xml.stream.supportDTD property to false in axiom will >> prevent DTD processing and does not require to throw a exception when DTD >> found. >> >> -- >> Thanks, >> Miyuru Wanninayaka >> Software Engineer - WSO2 Inc. >> > > > > -- > Technical Lead, WSO2 Inc > http://wso2.org > supunk.blogspot.com > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
