Changeset 7283


Ignore:
Timestamp:
01/29/22 20:13:37 (2 years ago)
Author:
Oliver Schonefeld
Message:
  • disable DTD and parsing of external entities (OWASP XXE)
File:
1 edited

Legend:

Unmodified
Added
Removed

  • SRUClient/trunk/src/main/java/eu/clarin/sru/client/SRUXMLStreamReader.java

    r7272 r7283  
    836836    static {
    837837        factory = (XMLInputFactory2) XMLInputFactory.newInstance();
     838        // prevent XML eXternal Entity injection (XXE)
     839        factory.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE);
     840        factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES,
     841                Boolean.FALSE);
     842       
    838843        // Stax settings
    839844        factory.setProperty(XMLInputFactory.IS_NAMESPACE_AWARE, Boolean.TRUE);
Note: See TracChangeset for help on using the changeset viewer.