Merge pull request #100 from coheigea/parser-doctypes
Disallow DocTypes in the Blueprint Parser
diff --git a/blueprint/blueprint-parser/src/main/java/org/apache/aries/blueprint/parser/Parser.java b/blueprint/blueprint-parser/src/main/java/org/apache/aries/blueprint/parser/Parser.java
index 10a9b39..3afcf50 100644
--- a/blueprint/blueprint-parser/src/main/java/org/apache/aries/blueprint/parser/Parser.java
+++ b/blueprint/blueprint-parser/src/main/java/org/apache/aries/blueprint/parser/Parser.java
@@ -22,6 +22,7 @@
import javax.xml.namespace.QName;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
import javax.xml.transform.dom.DOMSource;
import javax.xml.validation.Schema;
import javax.xml.validation.Validator;
@@ -1461,6 +1462,12 @@
if (documentBuilderFactory == null) {
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setNamespaceAware(true);
+ try {
+ dbf.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, true);
+ dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+ } catch (ParserConfigurationException ex) {
+ throw new ComponentDefinitionException("Unable to create the document builder", ex);
+ }
documentBuilderFactory = dbf;
}
return documentBuilderFactory;
