From f9b9e3018b46180c0e88812c25211e8630137a8c Mon Sep 17 00:00:00 2001
From: Olyutorskii <olyutorskii@users.osdn.me>
Date: Mon, 24 Jun 2019 00:17:16 +0900
Subject: [PATCH] add implicit built-in xml schema.

---
 CHANGELOG.txt                                      |  1 +
 src/main/java/jp/sfjp/mikutoga/xml/SchemaUtil.java | 16 ++++++++++------
 2 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index 0850023..c5293d0 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -5,6 +5,7 @@ TogaGem å¤æ´å±¥æ­´
 
 
 X.XXX.X (XXXX-XX-XX)
+    * Prevent XXE vulnerabilities.
     * Split entity resolver from resource resolver to prevent XXE vulnerability.
     * Make Schema-factory safe to prevent XXE vulnerability.
     * Move out xml-xsd info from resolver.
diff --git a/src/main/java/jp/sfjp/mikutoga/xml/SchemaUtil.java b/src/main/java/jp/sfjp/mikutoga/xml/SchemaUtil.java
index c2de190..a8dbadf 100644
--- a/src/main/java/jp/sfjp/mikutoga/xml/SchemaUtil.java
+++ b/src/main/java/jp/sfjp/mikutoga/xml/SchemaUtil.java
@@ -26,7 +26,7 @@ import org.xml.sax.SAXNotRecognizedException;
 import org.xml.sax.SAXNotSupportedException;
 
 /**
- * XMLã¹ã­ã¼ãã®åç¨®ãã«ãã
+ * XML schema (XSD) utilities.
  */
 public final class SchemaUtil {
 
@@ -62,7 +62,7 @@ public final class SchemaUtil {
 
 
     /**
-     * é ãã³ã³ã¹ãã©ã¯ã¿ã
+     * Hidden constructor.
      */
     private SchemaUtil(){
         assert false;
@@ -184,10 +184,14 @@ public final class SchemaUtil {
      * @param resArray ã­ã¼ã«ã«ã¹ã­ã¼ãæå ±ä¸¦ã³
      * @return ã¹ã­ã¼ã
      */
-    public static Schema newSchema(XmlResourceResolver resolver,
-                                    LocalXmlResource... resArray ){
+    public static Schema newSchema(
+            XmlResourceResolver resolver,
+            LocalXmlResource... resArray){
+        XmlResourceResolver totalResolver = buildXmlXsdResolver();
+        totalResolver.putRedirected(resolver);
+
         for(LocalXmlResource resource : resArray){
-            resolver.putRedirected(resource);
+            totalResolver.putRedirected(resource);
         }
 
         Source[] sources;
@@ -198,7 +202,7 @@ public final class SchemaUtil {
             throw new AssertionError(e);
         }
 
-        SchemaFactory schemaFactory = newSchemaFactory(resolver);
+        SchemaFactory schemaFactory = newSchemaFactory(totalResolver);
 
         Schema result;
         try{
-- 
2.11.0