[FIXED] fixed pom.xml with <!DOCTYPE xml> parsing issue

thevpc · Nov 8, 2021 · 99598f0 · 99598f0
1 parent 8963416
commit 99598f0
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 2 deletions.
diff --git a/core/nuts-runtime/src/main/java/net/thevpc/nuts/runtime/core/format/xml/NutsXmlUtils.java b/core/nuts-runtime/src/main/java/net/thevpc/nuts/runtime/core/format/xml/NutsXmlUtils.java
@@ -209,7 +209,8 @@ public static DocumentBuilder createDocumentBuilder(boolean safe, NutsSession se
             documentFactory.setExpandEntityReferences(false);
             // This is the PRIMARY defense. If DTDs (doctypes) are disallowed, almost all XML entity attacks are prevented
             // Xerces 2 only - http://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl
-            setLenientFeature(documentFactory, "http://apache.org/xml/features/disallow-doctype-decl", true);
+            //commented because some pom.xml contains <!DOCTYPE xml>
+            //setLenientFeature(documentFactory, "http://apache.org/xml/features/disallow-doctype-decl", true);
 
             // If you can't completely disable DTDs, then at least do the following:
             // Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-general-entities

diff --git a/...s-runtime/src/main/java/net/thevpc/nuts/runtime/core/parser/DefaultNutsVersionParser.java b/...s-runtime/src/main/java/net/thevpc/nuts/runtime/core/parser/DefaultNutsVersionParser.java
@@ -10,7 +10,7 @@ public class DefaultNutsVersionParser implements NutsVersionParser {
     /**
      * ${} added to support versions as maven place-holders
      */
-    private static final Pattern PATTERN=Pattern.compile("[A-Za-z0-9._*,()\\[\\] ${}-]+");
+    private static final Pattern PATTERN=Pattern.compile("[A-Za-z0-9._*,()\\[\\] ${}+-]+");
     private NutsSession session;
     private boolean lenient=false;
     private boolean acceptBlank = true;