如何在使用 com.sun.org.apache.xerces.internal.parsers.SAXParser 的 SAXBuilder 中禁用 XML 外部实体 (XXE) 处理
How to disable XML External Entity(XEE) processing in SAXBuilder which using com.sun.org.apache.xerces.internal.parsers.SAXParser
这是我的代码片段:
public static SAXBuilder createBuilder(@NotNull final String schemaPath) {
final SAXBuilder builder = new SAXBuilder("com.sun.org.apache.xerces.internal.parsers.SAXParser", true);
builder.setFeature("http://apache.org/xml/features/validation/schema", true);
builder.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
builder.setFeature("http://apache.org/xml/features/disallow-doctype-decl",true);
builder.setFeature("http://xml.org/sax/features/external-general-entities", false);
builder.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
builder.setExpandEntities(false);
builder.setProperty("http://apache.org/xml/properties/schema/external-noNamespaceSchemaLocation", schemaPath);
builder.setEntityResolver(getEntityResolver());
return builder;
}
我已经花了一些时间进行搜索,但没有留下多少
我确定了这个问题的根本原因。这是因为我的 xsd
中的 processContents="lax" 属性
这是我的代码片段:
public static SAXBuilder createBuilder(@NotNull final String schemaPath) {
final SAXBuilder builder = new SAXBuilder("com.sun.org.apache.xerces.internal.parsers.SAXParser", true);
builder.setFeature("http://apache.org/xml/features/validation/schema", true);
builder.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
builder.setFeature("http://apache.org/xml/features/disallow-doctype-decl",true);
builder.setFeature("http://xml.org/sax/features/external-general-entities", false);
builder.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
builder.setExpandEntities(false);
builder.setProperty("http://apache.org/xml/properties/schema/external-noNamespaceSchemaLocation", schemaPath);
builder.setEntityResolver(getEntityResolver());
return builder;
}
我已经花了一些时间进行搜索,但没有留下多少
我确定了这个问题的根本原因。这是因为我的 xsd
中的processContents="lax" 属性