Class DefaultSafeXmlParserFactory

  • All Implemented Interfaces:
    IXmlParserFactory

    public class DefaultSafeXmlParserFactory
    extends java.lang.Object
    implements IXmlParserFactory
    Implementation of IXmlParserFactory for creating safe xml parser objects. Creates parsers with configuration to prevent XML bombs and XXE attacks.
    • Field Detail

      • LOGGER

        private static final org.slf4j.Logger LOGGER
      • DISALLOW_DOCTYPE_DECL

        private static final java.lang.String DISALLOW_DOCTYPE_DECL
        Feature for disallowing DOCTYPE declaration.

        Xerces 2 only - http://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl

        See Also:
        Constant Field Values
      • EXTERNAL_GENERAL_ENTITIES

        private static final java.lang.String EXTERNAL_GENERAL_ENTITIES
        If you can't disable DOCTYPE declarations, then at least disable external entities. Must be used with the EXTERNAL_PARAMETER_ENTITIES, otherwise has no effect.

        Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-general-entities Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-general-entities JDK7+ - http://xml.org/sax/features/external-general-entities

        See Also:
        Constant Field Values
      • EXTERNAL_PARAMETER_ENTITIES

        private static final java.lang.String EXTERNAL_PARAMETER_ENTITIES
        Must be used with the EXTERNAL_GENERAL_ENTITIES, otherwise has no effect.

        Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-parameter-entities Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-parameter-entities JDK7+ - http://xml.org/sax/features/external-parameter-entities

        See Also:
        Constant Field Values
      • LOAD_EXTERNAL_DTD

        private static final java.lang.String LOAD_EXTERNAL_DTD
        Disable external DTDs.
        See Also:
        Constant Field Values
    • Method Detail

      • createDocumentBuilderInstance

        public javax.xml.parsers.DocumentBuilder createDocumentBuilderInstance​(boolean namespaceAware,
                                                                               boolean ignoringComments)
        Description copied from interface: IXmlParserFactory
        Creates the instance of the DocumentBuilder.
        Specified by:
        createDocumentBuilderInstance in interface IXmlParserFactory
        Parameters:
        namespaceAware - specifies whether the parser should be namespace aware
        ignoringComments - specifies whether the parser should ignore comments
        Returns:
        instance of the DocumentBuilder
      • createXMLReaderInstance

        public org.xml.sax.XMLReader createXMLReaderInstance​(boolean namespaceAware,
                                                             boolean validating)
        Description copied from interface: IXmlParserFactory
        Creates the instance of the XMLReader.
        Specified by:
        createXMLReaderInstance in interface IXmlParserFactory
        Parameters:
        namespaceAware - specifies whether the parser should be namespace aware
        validating - specifies whether the parser should validate documents as they are parsed
        Returns:
        instance of the XMLReader
      • createTransformerInstance

        public javax.xml.transform.Transformer createTransformerInstance()
        Description copied from interface: IXmlParserFactory
        Creates the instance of the Transformer.
        Specified by:
        createTransformerInstance in interface IXmlParserFactory
        Returns:
        instance of the Transformer
      • createDocumentBuilderFactory

        protected javax.xml.parsers.DocumentBuilderFactory createDocumentBuilderFactory()
        Creates a document builder factory implementation.
        Returns:
        result of DocumentBuilderFactory.newInstance() call
      • createSAXParserFactory

        protected javax.xml.parsers.SAXParserFactory createSAXParserFactory()
        Creates a SAX parser factory implementation.
        Returns:
        result of SAXParserFactory.newInstance() call
      • configureSafeDocumentBuilderFactory

        protected void configureSafeDocumentBuilderFactory​(javax.xml.parsers.DocumentBuilderFactory factory)
        Configures document builder factory to make it secure against xml attacks.
        Parameters:
        factory - DocumentBuilderFactory instance to be configured
      • configureSafeSAXParserFactory

        protected void configureSafeSAXParserFactory​(javax.xml.parsers.SAXParserFactory factory)
        Configures SAX parser factory to make it secure against xml attacks.
        Parameters:
        factory - SAXParserFactory instance to be configured
      • configureSafeTransformerFactory

        protected void configureSafeTransformerFactory​(javax.xml.transform.TransformerFactory factory)
        Configures transformer factory to make it secure against xml attacks.
        Parameters:
        factory - TransformerFactory instance to be configured
      • tryToSetFeature

        private void tryToSetFeature​(javax.xml.parsers.DocumentBuilderFactory factory,
                                     java.lang.String feature,
                                     boolean value)
      • tryToSetFeature

        private void tryToSetFeature​(javax.xml.parsers.SAXParserFactory factory,
                                     java.lang.String feature,
                                     boolean value)