mirror of https://github.com/M66B/FairEmail.git
Enable XML secure processing
This commit is contained in:
parent
efc29f28c5
commit
7456ba958e
|
@ -21,6 +21,7 @@ import java.util.Iterator;
|
|||
import java.util.List;
|
||||
import java.util.Map;
|
||||
|
||||
import javax.xml.XMLConstants;
|
||||
import javax.xml.namespace.QName;
|
||||
import javax.xml.transform.Transformer;
|
||||
import javax.xml.transform.TransformerConfigurationException;
|
||||
|
@ -472,6 +473,7 @@ public class XCalDocument {
|
|||
Transformer transformer;
|
||||
try {
|
||||
TransformerFactory factory = TransformerFactory.newInstance();
|
||||
factory.setAttribute(XMLConstants.FEATURE_SECURE_PROCESSING, true);
|
||||
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
transformer = factory.newTransformer();
|
||||
} catch (TransformerConfigurationException e) {
|
||||
|
|
|
@ -22,6 +22,7 @@ import java.util.List;
|
|||
import java.util.concurrent.ArrayBlockingQueue;
|
||||
import java.util.concurrent.BlockingQueue;
|
||||
|
||||
import javax.xml.XMLConstants;
|
||||
import javax.xml.namespace.QName;
|
||||
import javax.xml.transform.ErrorListener;
|
||||
import javax.xml.transform.Source;
|
||||
|
@ -206,6 +207,7 @@ public class XCalReader extends StreamReader {
|
|||
//create the transformer
|
||||
try {
|
||||
TransformerFactory factory = TransformerFactory.newInstance();
|
||||
factory.setAttribute(XMLConstants.FEATURE_SECURE_PROCESSING, true);
|
||||
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
XmlUtils.applyXXEProtection(factory);
|
||||
|
||||
|
|
|
@ -14,6 +14,7 @@ import java.util.HashMap;
|
|||
import java.util.List;
|
||||
import java.util.Map;
|
||||
|
||||
import javax.xml.XMLConstants;
|
||||
import javax.xml.namespace.QName;
|
||||
import javax.xml.parsers.DocumentBuilder;
|
||||
import javax.xml.parsers.DocumentBuilderFactory;
|
||||
|
@ -291,6 +292,7 @@ public final class XmlUtils {
|
|||
public static void toWriter(Node node, Writer writer, Map<String, String> outputProperties) throws TransformerException {
|
||||
try {
|
||||
TransformerFactory factory = TransformerFactory.newInstance();
|
||||
factory.setAttribute(XMLConstants.FEATURE_SECURE_PROCESSING, true);
|
||||
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
Transformer transformer = factory.newTransformer();
|
||||
for (Map.Entry<String, String> property : outputProperties.entrySet()) {
|
||||
|
|
|
@ -39,6 +39,8 @@ public abstract class XmlConverter {
|
|||
static {
|
||||
DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance();
|
||||
try {
|
||||
dbFactory.setXIncludeAware(false);
|
||||
dbFactory.setExpandEntityReferences(false);
|
||||
dbFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
documentBuilder = dbFactory.newDocumentBuilder();
|
||||
} catch (ParserConfigurationException e) {
|
||||
|
|
|
@ -23,6 +23,7 @@ import javax.activation.ActivationDataFlavor;
|
|||
import javax.activation.DataSource;
|
||||
import javax.mail.internet.ContentType;
|
||||
import javax.mail.internet.ParseException;
|
||||
import javax.xml.XMLConstants;
|
||||
import javax.xml.transform.Source;
|
||||
import javax.xml.transform.Transformer;
|
||||
import javax.xml.transform.TransformerFactory;
|
||||
|
@ -80,6 +81,7 @@ public class text_xml extends text_plain {
|
|||
|
||||
try {
|
||||
TransformerFactory factory = TransformerFactory.newInstance();
|
||||
factory.setAttribute(XMLConstants.FEATURE_SECURE_PROCESSING, true);
|
||||
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
Transformer transformer = factory.newTransformer();
|
||||
StreamResult result = new StreamResult(os);
|
||||
|
|
Loading…
Reference in New Issue