< prev index next >
jaxws/src/jdk.xml.ws/share/classes/com/sun/tools/internal/ws/wsdl/parser/DOMForest.java
Print this page
@@ -1,7 +1,7 @@
/*
- * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
@@ -113,16 +113,30 @@
this.errorReceiver = errReceiver;
this.logic = logic;
try {
// secure xml processing can be switched off if input requires it
boolean secureProcessingEnabled = options == null || !options.disableXmlSecurity;
- DocumentBuilderFactory dbf = XmlUtil.newDocumentBuilderFactory(secureProcessingEnabled);
+ DocumentBuilderFactory dbf = XmlUtil.newDocumentBuilderFactory(!secureProcessingEnabled);
dbf.setNamespaceAware(true);
this.documentBuilder = dbf.newDocumentBuilder();
this.parserFactory = XmlUtil.newSAXParserFactory(secureProcessingEnabled);
this.parserFactory.setNamespaceAware(true);
+
+ if(secureProcessingEnabled){
+ dbf.setExpandEntityReferences(false);
+ try {
+ parserFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+ parserFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+ parserFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+ } catch (SAXNotRecognizedException e){
+ throw new ParserConfigurationException(e.getMessage());
+ } catch (SAXNotSupportedException e) {
+ throw new ParserConfigurationException(e.getMessage());
+ }
+ }
+
} catch (ParserConfigurationException e) {
throw new AssertionError(e);
}
}
< prev index next >