Package com.day.cq.dam.commons.xml
Interface SecureDocumentBuilderFactory
-
- All Known Implementing Classes:
DocumentBuilderFactoryProvider
public interface SecureDocumentBuilderFactoryInterface to provide safe DocumentBuilderFactory instance which is susceptible to XXE/XEE attacks. Following XML parsing related vulnerabilities were detected in SAXReader objects in apache POI. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3574 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3529 This interface id for internal use only.
-
-
Method Summary
All Methods Instance Methods Abstract Methods Modifier and Type Method Description javax.xml.parsers.DocumentBuilderFactorycreateSecureBuilderFactory(java.lang.Boolean setNamespaceAware)Invoked when a new instance of DocumentBuilderFactory is required.
-
-
-
Method Detail
-
createSecureBuilderFactory
javax.xml.parsers.DocumentBuilderFactory createSecureBuilderFactory(java.lang.Boolean setNamespaceAware) throws javax.xml.parsers.ParserConfigurationExceptionInvoked when a new instance of DocumentBuilderFactory is required.- Parameters:
setNamespaceAware- Whether to set NamespaceAware configuration for DocumentBuilderFactory to true or not.- Returns:
- A new instance of DocumentBuilderFactory.
- Throws:
javax.xml.parsers.ParserConfigurationException- If a DocumentBuilder cannot be created which satisfies the configuration requested. Following configurations has been added factory.setNamespaceAware(true); factory.setValidating(true); factory.setExpandEntityReferences(false); factory.setFeature("http://xml.org/sax/features/validation", true); // do not include external general entities factory.setFeature("http://xml.org/sax/features/external-general-entities", false); // do not include external parameter entities or the external DTD subset factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); // build the grammar but do not use the default attributes and attribute types information it contains factory.setFeature("http://apache.org/xml/features/nonvalidating/load-dtd-grammar", false); // ignore the external DTD completely factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
-
-