diff --git a/src/main/java/sirius/kernel/xml/XMLGenerator.java b/src/main/java/sirius/kernel/xml/XMLGenerator.java index dcb80198..600b609f 100644 --- a/src/main/java/sirius/kernel/xml/XMLGenerator.java +++ b/src/main/java/sirius/kernel/xml/XMLGenerator.java @@ -16,6 +16,7 @@ import javax.annotation.Nullable; import javax.annotation.ParametersAreNonnullByDefault; +import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; @@ -146,6 +147,7 @@ public static Document createDocument(@Nullable String namespaceURI, String qualifiedName, @Nullable DocumentType docType) throws ParserConfigurationException { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); DocumentBuilder builder = factory.newDocumentBuilder(); DOMImplementation impl = builder.getDOMImplementation(); return impl.createDocument(namespaceURI, qualifiedName, docType); diff --git a/src/main/java/sirius/kernel/xml/XMLReader.java b/src/main/java/sirius/kernel/xml/XMLReader.java index 46259bc7..a52e7cd4 100644 --- a/src/main/java/sirius/kernel/xml/XMLReader.java +++ b/src/main/java/sirius/kernel/xml/XMLReader.java @@ -17,6 +17,7 @@ import sirius.kernel.commons.Strings; import sirius.kernel.health.Exceptions; +import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; @@ -63,7 +64,9 @@ public class XMLReader extends DefaultHandler { */ public XMLReader() { try { - documentBuilder = DocumentBuilderFactory.newInstance().newDocumentBuilder(); + DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance(); + documentBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + documentBuilder = documentBuilderFactory.newDocumentBuilder(); taskContext = TaskContext.get(); } catch (ParserConfigurationException exception) { throw Exceptions.handle(exception); @@ -178,6 +181,7 @@ static class UserInterruptException extends RuntimeException { public void parse(InputStream stream, Function resourceLocator) throws IOException { try (stream) { SAXParserFactory factory = SAXParserFactory.newInstance(); + factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); SAXParser saxParser = factory.newSAXParser(); org.xml.sax.XMLReader reader = saxParser.getXMLReader(); reader.setEntityResolver(new EntityResolver() { diff --git a/src/main/java/sirius/kernel/xml/XMLStructuredInput.java b/src/main/java/sirius/kernel/xml/XMLStructuredInput.java index 5e93e8aa..dda55017 100644 --- a/src/main/java/sirius/kernel/xml/XMLStructuredInput.java +++ b/src/main/java/sirius/kernel/xml/XMLStructuredInput.java @@ -14,6 +14,7 @@ import javax.annotation.Nonnull; import javax.annotation.Nullable; +import javax.xml.XMLConstants; import javax.xml.namespace.NamespaceContext; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; @@ -38,6 +39,7 @@ public class XMLStructuredInput implements StructuredInput { public XMLStructuredInput(InputStream inputStream, @Nullable NamespaceContext namespaceContext) throws IOException { try { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); if (namespaceContext != null) { factory.setNamespaceAware(true); }