Set secure processing feature + disallow doctypes
diff --git a/src/main/java/org/apache/neethi/builders/converters/StaxToDOMConverter.java b/src/main/java/org/apache/neethi/builders/converters/StaxToDOMConverter.java
index fa3cf08..8a76db1 100644
--- a/src/main/java/org/apache/neethi/builders/converters/StaxToDOMConverter.java
+++ b/src/main/java/org/apache/neethi/builders/converters/StaxToDOMConverter.java
@@ -21,6 +21,7 @@
import java.util.Stack;
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.stream.XMLStreamConstants;
@@ -40,7 +41,11 @@
public Element convert(XMLStreamReader reader) {
try {
- Document doc = DocumentBuilderFactory.newInstance().newDocumentBuilder().newDocument();
+ DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+ dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+ dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+
+ Document doc = dbf.newDocumentBuilder().newDocument();
readDocElements(doc, doc, reader);
return doc.getDocumentElement();
} catch (ParserConfigurationException ex) {