X-Git-Url: http://git.osdn.net/view?a=blobdiff_plain;f=src%2Fmain%2Fjava%2Fjp%2Fsfjp%2Fmikutoga%2Ftypical%2FI18nAlias.java;h=5942a412b25cea8242d08dee6f8e89bda63d3907;hb=refs%2Fheads%2Fmaster;hp=4c4de31d7324ae5b067200eb26c8c225df98ee86;hpb=d1cde1f17131ca29f084ea7dc8ee0ef72cab7cfc;p=mikutoga%2FTogaGem.git

diff --git a/src/main/java/jp/sfjp/mikutoga/typical/I18nAlias.java b/src/main/java/jp/sfjp/mikutoga/typical/I18nAlias.java
index 4c4de31..5942a41 100644
--- a/src/main/java/jp/sfjp/mikutoga/typical/I18nAlias.java
+++ b/src/main/java/jp/sfjp/mikutoga/typical/I18nAlias.java
@@ -14,6 +14,7 @@ import java.util.Collections;
 import java.util.Comparator;
 import java.util.LinkedList;
 import java.util.List;
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
@@ -43,6 +44,15 @@ class I18nAlias {
     public static final Comparator<I18nAlias> ORDER_COMPARATOR =
             new OrderComparator();
 
+    private static final String F_DISALLOW_DOCTYPE_DECL =
+            "http://apache.org/xml/features/disallow-doctype-decl";
+    private static final String F_EXTERNAL_GENERAL_ENTITIES =
+            "http://xml.org/sax/features/external-general-entities";
+    private static final String F_EXTERNAL_PARAMETER_ENTITIES =
+            "http://xml.org/sax/features/external-parameter-entities";
+    private static final String F_LOAD_EXTERNAL_DTD =
+            "http://apache.org/xml/features/nonvalidating/load-external-dtd";
+
 
     private int orderNo;
 
@@ -110,6 +120,20 @@ class I18nAlias {
         DocumentBuilderFactory factory;
         factory = DocumentBuilderFactory.newInstance();
 
+        factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+        factory.setFeature(F_EXTERNAL_GENERAL_ENTITIES, false);
+        factory.setFeature(F_EXTERNAL_PARAMETER_ENTITIES, false);
+        factory.setFeature(F_LOAD_EXTERNAL_DTD, false);
+
+        // unsafe but we use DOCTYPE
+        factory.setFeature(F_DISALLOW_DOCTYPE_DECL, false);
+
+        factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+        factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
+
+        factory.setXIncludeAware(false);
+        factory.setExpandEntityReferences(false);
+
         DocumentBuilder builder = factory.newDocumentBuilder();
         Document doc = builder.parse(is);