Interface SecureDocumentBuilderFactory

  • All Known Implementing Classes:

    public interface SecureDocumentBuilderFactory
    Interface to provide safe DocumentBuilderFactory instance which is susceptible to XXE/XEE attacks. Following XML parsing related vulnerabilities were detected in SAXReader objects in apache POI. This interface id for internal use only.
    • Method Detail

      • createSecureBuilderFactory

        javax.xml.parsers.DocumentBuilderFactory createSecureBuilderFactory​(java.lang.Boolean setNamespaceAware)
                                                                     throws javax.xml.parsers.ParserConfigurationException
        Invoked when a new instance of DocumentBuilderFactory is required.
        setNamespaceAware - Whether to set NamespaceAware configuration for DocumentBuilderFactory to true or not.
        A new instance of DocumentBuilderFactory.
        javax.xml.parsers.ParserConfigurationException - If a DocumentBuilder cannot be created which satisfies the configuration requested. Following configurations has been added factory.setNamespaceAware(true); factory.setValidating(true); factory.setExpandEntityReferences(false); factory.setFeature("", true); // do not include external general entities factory.setFeature("", false); // do not include external parameter entities or the external DTD subset factory.setFeature("", false); // build the grammar but do not use the default attributes and attribute types information it contains factory.setFeature("", false); // ignore the external DTD completely factory.setFeature("", false);