kinow commented on code in PR #2006:
URL: https://github.com/apache/jena/pull/2006#discussion_r1313654807
##########
jena-base/src/main/java/org/apache/jena/atlas/io/IndentedWriter.java:
##########
@@ -217,6 +219,29 @@ public void ensureStartOfLine() {
newline() ;
}
+ public boolean atLineStart() { return startingNewLine ; }
+
+ // A line is prefix?number?content.
+ private void lineStart() {
+ if ( flatMode ) {
+ if ( startingNewLine && row > 1 )
+ // Space between each line.
+ write$(' ') ;
+ startingNewLine = false ;
+ return ;
+ }
+
+ // Need to do its just before we append anything, not after a NL,
Review Comment:
s/its/it?
##########
jena-core/src/main/java/org/apache/jena/util/JenaXMLInput.java:
##########
@@ -72,15 +89,38 @@ public static XMLReader createXMLReader() throws
ParserConfigurationException, S
* Initialize an XMLInputFactory to jena settings.
*/
public static void initXMLInputFactory(XMLInputFactory xf) {
+ /*
+ *
https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
+ * ---
+ * // This disables DTDs entirely for that factory
+ * xmlInputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
+ *
+ * or if you can't completely disable DTDs:
+ *
+ * // This causes XMLStreamException to be thrown if external DTDs
are accessed.
+ * xmlInputFactory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD,
"");
+ * // disable external entities
+ *
xmlInputFactory.setProperty("javax.xml.stream.isSupportingExternalEntities",
false);
+ */
+
+ String name = xf.getClass().getName();
+ boolean isWoodstox = name.startsWith("com.ctc.wstx.stax.");
+ boolean isJDK = name.contains("sun.xml.internal");
+ boolean isXerces = name.startsWith("org.apache.xerces");
+
// This disables DTDs entirely for the factory.
- // All DTDs are silently ignored; takes precedence over
ACCESS_EXTERNAL_DTD
+ // DTDs are silently ignored except for xmlEventReader.nextTag() which
throws an exception on a "DTD" event.
+ // Code can peek and skip the DTD/
Review Comment:
. instead of / ?
##########
jena-core/src/main/java/org/apache/jena/util/JenaXMLInput.java:
##########
@@ -115,6 +155,9 @@ public static DocumentBuilderFactory
newDocumentBuilderFactory() throws ParserCo
return factory;
}
+ //
https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#saxbuilder
+
+// //
https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#jaxp-documentbuilderfactory-saxparserfactory-and-dom4j
Review Comment:
Double //'s ? Doesn't really matter though.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
