commit 03374aee4faba91d52ae60312c107cc69f8ce3c5
author Colm O hEigeartaigh <coheigea@apache.org> Wed Nov 21 14:49:50 2018 +0000
committer Colm O hEigeartaigh <coheigea@apache.org> Wed Nov 21 14:49:50 2018 +0000
tree 53c0b0ef6e0d57b10de21ff8b594d6897b52ed7c
parent d0f067bf6a7dff352e1810d05887d549a57444b8

Set secure processing feature and disallow doctypes

xmlschema-core/src/main/java/org/apache/ws/commons/schema/XmlSchemaCollection.java

diff --git a/xmlschema-core/src/main/java/org/apache/ws/commons/schema/XmlSchemaCollection.java b/xmlschema-core/src/main/java/org/apache/ws/commons/schema/XmlSchemaCollection.java
index b61e3ff..fa16d24 100644
--- a/xmlschema-core/src/main/java/org/apache/ws/commons/schema/XmlSchemaCollection.java
+++ b/xmlschema-core/src/main/java/org/apache/ws/commons/schema/XmlSchemaCollection.java
@@ -33,6 +33,7 @@
 import java.util.Map;
 import java.util.Stack;
 
+import javax.xml.XMLConstants;
 import javax.xml.namespace.QName;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
@@ -707,6 +708,8 @@
     XmlSchema read(InputSource inputSource, TargetNamespaceValidator namespaceValidator) {
         try {
             DocumentBuilderFactory docFac = DocumentBuilderFactory.newInstance();
+            docFac.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+            docFac.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
             docFac.setNamespaceAware(true);
             final DocumentBuilder builder = docFac.newDocumentBuilder();
             Document doc = null;

xmlschema-core/src/main/java/org/apache/ws/commons/schema/XmlSchemaSerializer.java

diff --git a/xmlschema-core/src/main/java/org/apache/ws/commons/schema/XmlSchemaSerializer.java b/xmlschema-core/src/main/java/org/apache/ws/commons/schema/XmlSchemaSerializer.java
index f946b95..c04319e 100644
--- a/xmlschema-core/src/main/java/org/apache/ws/commons/schema/XmlSchemaSerializer.java
+++ b/xmlschema-core/src/main/java/org/apache/ws/commons/schema/XmlSchemaSerializer.java
@@ -1548,6 +1548,9 @@
         Document serializedSchemaDocs;
         try {
             DocumentBuilderFactory docFac = DocumentBuilderFactory.newInstance();
+            docFac.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+            docFac.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+
             docFac.setNamespaceAware(true);
             DocumentBuilder builder = docFac.newDocumentBuilder();
             serializedSchemaDocs = builder.newDocument();

xmlschema-walker/src/main/java/org/apache/ws/commons/schema/docpath/DomBuilderFromSax.java

diff --git a/xmlschema-walker/src/main/java/org/apache/ws/commons/schema/docpath/DomBuilderFromSax.java b/xmlschema-walker/src/main/java/org/apache/ws/commons/schema/docpath/DomBuilderFromSax.java
index 44e57af..9e2fe9c 100644
--- a/xmlschema-walker/src/main/java/org/apache/ws/commons/schema/docpath/DomBuilderFromSax.java
+++ b/xmlschema-walker/src/main/java/org/apache/ws/commons/schema/docpath/DomBuilderFromSax.java
@@ -25,6 +25,7 @@
 import java.util.Map;
 import java.util.Set;
 
+import javax.xml.XMLConstants;
 import javax.xml.namespace.QName;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
@@ -77,6 +78,8 @@
         }
 
         DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+        factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+        factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
         factory.setNamespaceAware(true);
 
         docBuilder = factory.newDocumentBuilder();