Set secure processing feature + disallow doctypes

commit: 47e14f3526011c584708fd73e502ffd0fc235ff9 [log] [tgz]
author: Colm O hEigeartaigh <coheigea@apache.org> Wed Nov 21 14:49:32 2018 +0000
committer: Colm O hEigeartaigh <coheigea@apache.org> Wed Nov 21 14:49:32 2018 +0000
tree: bdf08c0707c3813393a3c434137e6b04b85934a3
parent: 06e0f625c0d764e4a7ad9300f9834265b39a2617 [diff]
diff --git a/src/main/java/org/apache/neethi/builders/converters/StaxToDOMConverter.java b/src/main/java/org/apache/neethi/builders/converters/StaxToDOMConverter.java
index fa3cf08..8a76db1 100644
--- a/src/main/java/org/apache/neethi/builders/converters/StaxToDOMConverter.java
+++ b/src/main/java/org/apache/neethi/builders/converters/StaxToDOMConverter.java

@@ -21,6 +21,7 @@
 
 import java.util.Stack;
 
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.stream.XMLStreamConstants;
@@ -40,7 +41,11 @@
 
     public Element convert(XMLStreamReader reader) {
         try {
-            Document doc = DocumentBuilderFactory.newInstance().newDocumentBuilder().newDocument();
+            DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+            dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+            dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+
+            Document doc = dbf.newDocumentBuilder().newDocument();
             readDocElements(doc, doc, reader);
             return doc.getDocumentElement();
         } catch (ParserConfigurationException ex) {
commit	47e14f3526011c584708fd73e502ffd0fc235ff9	[log] [tgz]
author	Colm O hEigeartaigh <coheigea@apache.org>	Wed Nov 21 14:49:32 2018 +0000
committer	Colm O hEigeartaigh <coheigea@apache.org>	Wed Nov 21 14:49:32 2018 +0000
tree	bdf08c0707c3813393a3c434137e6b04b85934a3
parent	06e0f625c0d764e4a7ad9300f9834265b39a2617 [diff]