- // schemaFactory.setFeature(name, value);
- // schemaFactory.setProperty(name, object);
+ try{
+ // Prevent denial of service attack.
+ schemaFactory.setFeature(
+ XMLConstants.FEATURE_SECURE_PROCESSING, true);
+ }catch(SAXNotRecognizedException | SAXNotSupportedException e){
+ // FEATURE MUST BE SUPPORTED
+ assert false;
+ }
+
+ try{
+ // Disallow external entity reference & external DTD access.
+ schemaFactory.setProperty(
+ XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ // Allow only HTTP external schema file.
+ schemaFactory.setProperty(
+ XMLConstants.ACCESS_EXTERNAL_SCHEMA, ALLOWED_USCHEMA);
+ }catch(SAXNotRecognizedException | SAXNotSupportedException e){
+ // PROPERTY MUST BE SUPPORTED JAXP1.5 or later
+ assert false;
+ }