pt.webdetails.cpf.utils.XmlParserFactoryProducer.java Source code

Java tutorial

  1. HOME
  2. Java
  3. pt.webdetails.cpf.utils.XmlParserFactoryProducer.java

Introduction

Here is the source code for pt.webdetails.cpf.utils.XmlParserFactoryProducer.java

Source

/*!
* Copyright 2002 - 2017 Webdetails, a Hitachi Vantara company.  All rights reserved.
*
* This software was developed by Webdetails and is provided under the terms
* of the Mozilla Public License, Version 2.0, or any later version. You may not use
* this file except in compliance with the license. If you need a copy of the license,
* please go to  http://mozilla.org/MPL/2.0/. The Initial Developer is Webdetails.
*
* Software distributed under the Mozilla Public License is distributed on an "AS IS"
* basis, WITHOUT WARRANTY OF ANY KIND, either express or  implied. Please refer to
* the license for the specific language governing your rights and limitations.
*/
package pt.webdetails.cpf.utils;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.dom4j.io.SAXReader;
import org.xml.sax.EntityResolver;
import org.xml.sax.SAXException;

import javax.xml.XMLConstants;

public class XmlParserFactoryProducer {
    private static final Log logger = LogFactory.getLog(XmlParserFactoryProducer.class);

    /**
     * Creates an instance of {@link SAXReader} class
     * with features that prevent from some XXE attacks (e.g. XML bomb)
     * See PPP-3506 for more details.
     * See also https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet
     *
     * @param resolver Is {@link EntityResolver} or null
     * @return {@link SAXReader}
     */
    public static SAXReader getSAXReader(final EntityResolver resolver) {
        SAXReader reader = new SAXReader();
        if (resolver != null) {
            reader.setEntityResolver(resolver);
        }
        try {
            reader.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
            reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
            reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
            reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
        } catch (SAXException e) {
            logger.error("Some parser properties are not supported.");
        }
        reader.setIncludeExternalDTDDeclarations(false);
        reader.setIncludeInternalDTDDeclarations(false);
        return reader;
    }
}