Package com.itextpdf.kernel.utils
Class DefaultSafeXmlParserFactory
- java.lang.Object
-
- com.itextpdf.kernel.utils.DefaultSafeXmlParserFactory
-
- All Implemented Interfaces:
IXmlParserFactory
public class DefaultSafeXmlParserFactory extends java.lang.Object implements IXmlParserFactory
Implementation ofIXmlParserFactory
for creating safe xml parser objects. Creates parsers with configuration to prevent XML bombs and XXE attacks.
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description private static class
DefaultSafeXmlParserFactory.SafeEmptyEntityResolver
-
Field Summary
Fields Modifier and Type Field Description private static java.lang.String
DISALLOW_DOCTYPE_DECL
Feature for disallowing DOCTYPE declaration.private static java.lang.String
EXTERNAL_GENERAL_ENTITIES
If you can't disable DOCTYPE declarations, then at least disable external entities.private static java.lang.String
EXTERNAL_PARAMETER_ENTITIES
Must be used with theEXTERNAL_GENERAL_ENTITIES
, otherwise has no effect.private static java.lang.String
LOAD_EXTERNAL_DTD
Disable external DTDs.private static org.slf4j.Logger
LOGGER
-
Constructor Summary
Constructors Constructor Description DefaultSafeXmlParserFactory()
Creates instance ofDefaultSafeXmlParserFactory
.
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected void
configureSafeDocumentBuilderFactory(javax.xml.parsers.DocumentBuilderFactory factory)
Configures document builder factory to make it secure against xml attacks.protected void
configureSafeSAXParserFactory(javax.xml.parsers.SAXParserFactory factory)
Configures SAX parser factory to make it secure against xml attacks.protected void
configureSafeTransformerFactory(javax.xml.transform.TransformerFactory factory)
Configures transformer factory to make it secure against xml attacks.protected javax.xml.parsers.DocumentBuilderFactory
createDocumentBuilderFactory()
Creates a document builder factory implementation.javax.xml.parsers.DocumentBuilder
createDocumentBuilderInstance(boolean namespaceAware, boolean ignoringComments)
Creates the instance of theDocumentBuilder
.protected javax.xml.parsers.SAXParserFactory
createSAXParserFactory()
Creates a SAX parser factory implementation.javax.xml.transform.Transformer
createTransformerInstance()
Creates the instance of theTransformer
.org.xml.sax.XMLReader
createXMLReaderInstance(boolean namespaceAware, boolean validating)
Creates the instance of theXMLReader
.private void
tryToSetFeature(javax.xml.parsers.DocumentBuilderFactory factory, java.lang.String feature, boolean value)
private void
tryToSetFeature(javax.xml.parsers.SAXParserFactory factory, java.lang.String feature, boolean value)
-
-
-
Field Detail
-
LOGGER
private static final org.slf4j.Logger LOGGER
-
DISALLOW_DOCTYPE_DECL
private static final java.lang.String DISALLOW_DOCTYPE_DECL
Feature for disallowing DOCTYPE declaration.Xerces 2 only - http://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl
- See Also:
- Constant Field Values
-
EXTERNAL_GENERAL_ENTITIES
private static final java.lang.String EXTERNAL_GENERAL_ENTITIES
If you can't disable DOCTYPE declarations, then at least disable external entities. Must be used with theEXTERNAL_PARAMETER_ENTITIES
, otherwise has no effect.Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-general-entities Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-general-entities JDK7+ - http://xml.org/sax/features/external-general-entities
- See Also:
- Constant Field Values
-
EXTERNAL_PARAMETER_ENTITIES
private static final java.lang.String EXTERNAL_PARAMETER_ENTITIES
Must be used with theEXTERNAL_GENERAL_ENTITIES
, otherwise has no effect.Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-parameter-entities Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-parameter-entities JDK7+ - http://xml.org/sax/features/external-parameter-entities
- See Also:
- Constant Field Values
-
LOAD_EXTERNAL_DTD
private static final java.lang.String LOAD_EXTERNAL_DTD
Disable external DTDs.- See Also:
- Constant Field Values
-
-
Constructor Detail
-
DefaultSafeXmlParserFactory
public DefaultSafeXmlParserFactory()
Creates instance ofDefaultSafeXmlParserFactory
.
-
-
Method Detail
-
createDocumentBuilderInstance
public javax.xml.parsers.DocumentBuilder createDocumentBuilderInstance(boolean namespaceAware, boolean ignoringComments)
Description copied from interface:IXmlParserFactory
Creates the instance of theDocumentBuilder
.- Specified by:
createDocumentBuilderInstance
in interfaceIXmlParserFactory
- Parameters:
namespaceAware
- specifies whether the parser should be namespace awareignoringComments
- specifies whether the parser should ignore comments- Returns:
- instance of the
DocumentBuilder
-
createXMLReaderInstance
public org.xml.sax.XMLReader createXMLReaderInstance(boolean namespaceAware, boolean validating)
Description copied from interface:IXmlParserFactory
Creates the instance of theXMLReader
.- Specified by:
createXMLReaderInstance
in interfaceIXmlParserFactory
- Parameters:
namespaceAware
- specifies whether the parser should be namespace awarevalidating
- specifies whether the parser should validate documents as they are parsed- Returns:
- instance of the
XMLReader
-
createTransformerInstance
public javax.xml.transform.Transformer createTransformerInstance()
Description copied from interface:IXmlParserFactory
Creates the instance of theTransformer
.- Specified by:
createTransformerInstance
in interfaceIXmlParserFactory
- Returns:
- instance of the
Transformer
-
createDocumentBuilderFactory
protected javax.xml.parsers.DocumentBuilderFactory createDocumentBuilderFactory()
Creates a document builder factory implementation.- Returns:
- result of
DocumentBuilderFactory.newInstance()
call
-
createSAXParserFactory
protected javax.xml.parsers.SAXParserFactory createSAXParserFactory()
Creates a SAX parser factory implementation.- Returns:
- result of
SAXParserFactory.newInstance()
call
-
configureSafeDocumentBuilderFactory
protected void configureSafeDocumentBuilderFactory(javax.xml.parsers.DocumentBuilderFactory factory)
Configures document builder factory to make it secure against xml attacks.- Parameters:
factory
-DocumentBuilderFactory
instance to be configured
-
configureSafeSAXParserFactory
protected void configureSafeSAXParserFactory(javax.xml.parsers.SAXParserFactory factory)
Configures SAX parser factory to make it secure against xml attacks.- Parameters:
factory
-SAXParserFactory
instance to be configured
-
configureSafeTransformerFactory
protected void configureSafeTransformerFactory(javax.xml.transform.TransformerFactory factory)
Configures transformer factory to make it secure against xml attacks.- Parameters:
factory
-TransformerFactory
instance to be configured
-
tryToSetFeature
private void tryToSetFeature(javax.xml.parsers.DocumentBuilderFactory factory, java.lang.String feature, boolean value)
-
tryToSetFeature
private void tryToSetFeature(javax.xml.parsers.SAXParserFactory factory, java.lang.String feature, boolean value)
-
-