Disable external DTDs/stylesheets when secure validation is enabled
git-svn-id: https://svn.apache.org/repos/asf/santuario/xml-security-java/trunk@1868858 13f79535-47bb-0310-9956-ffa450edef68
diff --git a/src/main/java/org/apache/xml/security/encryption/TransformSerializer.java b/src/main/java/org/apache/xml/security/encryption/TransformSerializer.java
index 73df59a..b08b599 100644
--- a/src/main/java/org/apache/xml/security/encryption/TransformSerializer.java
+++ b/src/main/java/org/apache/xml/security/encryption/TransformSerializer.java
@@ -84,6 +84,10 @@
if (transformerFactory == null) {
transformerFactory = TransformerFactory.newInstance();
transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+ if (secureValidation) {
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+ }
}
Transformer transformer = transformerFactory.newTransformer();
diff --git a/src/main/java/org/apache/xml/security/stax/config/XIncludeHandler.java b/src/main/java/org/apache/xml/security/stax/config/XIncludeHandler.java
index 04e3882..9bb65b6 100644
--- a/src/main/java/org/apache/xml/security/stax/config/XIncludeHandler.java
+++ b/src/main/java/org/apache/xml/security/stax/config/XIncludeHandler.java
@@ -153,6 +153,9 @@
XMLReader xmlReader = XMLReaderFactory.createXMLReader();
SAXTransformerFactory saxTransformerFactory = (SAXTransformerFactory) SAXTransformerFactory.newInstance();
saxTransformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+ saxTransformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ saxTransformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+
TransformerHandler transformerHandler = saxTransformerFactory.newTransformerHandler();
transformerHandler.setResult(domResult);
xmlReader.setContentHandler(new XIncludeHandler(transformerHandler, uriDocMap));
@@ -177,6 +180,9 @@
try {
TransformerFactory transformerFactory = TransformerFactory.newInstance();
transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+
Transformer transformer = transformerFactory.newTransformer();
if (xpointer == null) {
transformer.transform(new DOMSource(document, document.getDocumentURI()), saxResult);
diff --git a/src/main/java/org/apache/xml/security/transforms/implementations/TransformXSLT.java b/src/main/java/org/apache/xml/security/transforms/implementations/TransformXSLT.java
index b2be495..d7879df 100644
--- a/src/main/java/org/apache/xml/security/transforms/implementations/TransformXSLT.java
+++ b/src/main/java/org/apache/xml/security/transforms/implementations/TransformXSLT.java
@@ -93,6 +93,10 @@
TransformerFactory tFactory = TransformerFactory.newInstance();
// Process XSLT stylesheets in a secure manner
tFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+ if (secureValidation) {
+ tFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ tFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+ }
/*
* This transform requires an octet stream as input. If the actual
