XML 配置的解析器不阻止也不限制外部实体解析
XML parser configured does not prevent nor limit external entities resolution
尽管我将我的代码更改为我在网上找到的代码,但我每次都会再次遇到此错误:
private Document convertInputToDocument(InputStream xml) {
try {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
factory.setIgnoringElementContentWhitespace(true);
DocumentBuilder builder = factory.newDocumentBuilder();
return builder.parse(xml);
} catch (Exception e) {
e.printStackTrace();
return null;
}
}
这 is/was 背后的原因是强化扫描不编译那些使用的包,因此看不到我们提供了足够的安全性!
尽管我将我的代码更改为我在网上找到的代码,但我每次都会再次遇到此错误:
private Document convertInputToDocument(InputStream xml) {
try {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
factory.setIgnoringElementContentWhitespace(true);
DocumentBuilder builder = factory.newDocumentBuilder();
return builder.parse(xml);
} catch (Exception e) {
e.printStackTrace();
return null;
}
}
这 is/was 背后的原因是强化扫描不编译那些使用的包,因此看不到我们提供了足够的安全性!