Package com.itextpdf.kernel.utils
Class DefaultSafeXmlParserFactory
java.lang.Object
com.itextpdf.kernel.utils.DefaultSafeXmlParserFactory
- All Implemented Interfaces:
IXmlParserFactory
Implementation of
IXmlParserFactory
for creating safe xml parser objects.
Creates parsers with configuration to prevent XML bombs and XXE attacks.-
Nested Class Summary
Nested ClassesModifier and TypeClassDescriptionprivate static class
-
Field Summary
FieldsModifier and TypeFieldDescriptionprivate static final String
Feature for disallowing DOCTYPE declaration.private static final String
If you can't disable DOCTYPE declarations, then at least disable external entities.private static final String
Must be used with theEXTERNAL_GENERAL_ENTITIES
, otherwise has no effect.private static final String
Disable external DTDs.private static final org.slf4j.Logger
-
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionprotected void
Configures document builder factory to make it secure against xml attacks.protected void
Configures SAX parser factory to make it secure against xml attacks.protected void
Configures transformer factory to make it secure against xml attacks.protected DocumentBuilderFactory
Creates a document builder factory implementation.createDocumentBuilderInstance
(boolean namespaceAware, boolean ignoringComments) Creates the instance of theDocumentBuilder
.protected SAXParserFactory
Creates a SAX parser factory implementation.Creates the instance of theTransformer
.createXMLReaderInstance
(boolean namespaceAware, boolean validating) Creates the instance of theXMLReader
.private void
tryToSetFeature
(DocumentBuilderFactory factory, String feature, boolean value) private void
tryToSetFeature
(SAXParserFactory factory, String feature, boolean value)
-
Field Details
-
LOGGER
private static final org.slf4j.Logger LOGGER -
DISALLOW_DOCTYPE_DECL
Feature for disallowing DOCTYPE declaration.Xerces 2 only - http://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl
- See Also:
-
EXTERNAL_GENERAL_ENTITIES
If you can't disable DOCTYPE declarations, then at least disable external entities. Must be used with theEXTERNAL_PARAMETER_ENTITIES
, otherwise has no effect.Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-general-entities Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-general-entities JDK7+ - http://xml.org/sax/features/external-general-entities
- See Also:
-
EXTERNAL_PARAMETER_ENTITIES
Must be used with theEXTERNAL_GENERAL_ENTITIES
, otherwise has no effect.Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-parameter-entities Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-parameter-entities JDK7+ - http://xml.org/sax/features/external-parameter-entities
- See Also:
-
LOAD_EXTERNAL_DTD
Disable external DTDs.- See Also:
-
-
Constructor Details
-
DefaultSafeXmlParserFactory
public DefaultSafeXmlParserFactory()Creates instance ofDefaultSafeXmlParserFactory
.
-
-
Method Details
-
createDocumentBuilderInstance
public DocumentBuilder createDocumentBuilderInstance(boolean namespaceAware, boolean ignoringComments) Description copied from interface:IXmlParserFactory
Creates the instance of theDocumentBuilder
.- Specified by:
createDocumentBuilderInstance
in interfaceIXmlParserFactory
- Parameters:
namespaceAware
- specifies whether the parser should be namespace awareignoringComments
- specifies whether the parser should ignore comments- Returns:
- instance of the
DocumentBuilder
-
createXMLReaderInstance
Description copied from interface:IXmlParserFactory
Creates the instance of theXMLReader
.- Specified by:
createXMLReaderInstance
in interfaceIXmlParserFactory
- Parameters:
namespaceAware
- specifies whether the parser should be namespace awarevalidating
- specifies whether the parser should validate documents as they are parsed- Returns:
- instance of the
XMLReader
-
createTransformerInstance
Description copied from interface:IXmlParserFactory
Creates the instance of theTransformer
.- Specified by:
createTransformerInstance
in interfaceIXmlParserFactory
- Returns:
- instance of the
Transformer
-
createDocumentBuilderFactory
Creates a document builder factory implementation.- Returns:
- result of
DocumentBuilderFactory.newInstance()
call
-
createSAXParserFactory
Creates a SAX parser factory implementation.- Returns:
- result of
SAXParserFactory.newInstance()
call
-
configureSafeDocumentBuilderFactory
Configures document builder factory to make it secure against xml attacks.- Parameters:
factory
-DocumentBuilderFactory
instance to be configured
-
configureSafeSAXParserFactory
Configures SAX parser factory to make it secure against xml attacks.- Parameters:
factory
-SAXParserFactory
instance to be configured
-
configureSafeTransformerFactory
Configures transformer factory to make it secure against xml attacks.- Parameters:
factory
-TransformerFactory
instance to be configured
-
tryToSetFeature
-
tryToSetFeature
-