Google Git
Sign in
apache/xmlgraphics-batik/refs/heads/main^!/.
commit
21a1ff1023186cc2694a6c210a64b28877eb36e3
[log]
author
Simon Steiner <ssteiner@apache.org>
Wed Jun 03 12:17:36 2026 +0100
committer
Simon Steiner <ssteiner@apache.org>
Wed Jun 03 12:17:36 2026 +0100
tree
d4ec3b98254338e899b8a2411ab4f5fc931a1cb8
parent
bec6be8304bd0df2d253a08800c802cca95d908c [diff]
BATIK-1395: Add secure processing to XMLInputHandler

diff --git a/batik-svgbrowser/src/main/java/org/apache/batik/apps/svgbrowser/XMLInputHandler.java b/batik-svgbrowser/src/main/java/org/apache/batik/apps/svgbrowser/XMLInputHandler.java
index 350416c..62bfece 100644
--- a/batik-svgbrowser/src/main/java/org/apache/batik/apps/svgbrowser/XMLInputHandler.java
+++ b/batik-svgbrowser/src/main/java/org/apache/batik/apps/svgbrowser/XMLInputHandler.java

@@ -23,6 +23,7 @@
 import java.io.StringWriter;
 import java.util.HashMap;
 
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.transform.Source;
@@ -160,9 +161,11 @@
     public void handle(ParsedURL purl, JSVGViewerFrame svgViewerFrame) throws Exception {
         String uri = purl.toString();
 
-        TransformerFactory tFactory 
-            = TransformerFactory.newInstance();
-        
+        TransformerFactory tFactory = TransformerFactory.newInstance();
+        tFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+        tFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+        tFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+
         // First, load the input XML document into a generic DOM tree
         DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
         dbf.setValidating(false);