import java.net.MalformedURLException;
import java.net.URI;
import java.net.URL;
+import javax.xml.XMLConstants;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
import jp.sfjp.mikutoga.xml.SchemaUtil;
import org.xml.sax.InputSource;
import org.xml.sax.SAXException;
+import org.xml.sax.SAXNotRecognizedException;
+import org.xml.sax.SAXNotSupportedException;
import org.xml.sax.XMLReader;
/**
*/
final class XmlInputUtil {
+ private static final String F_DISALLOW_DOCTYPE_DECL =
+ "http://apache.org/xml/features/disallow-doctype-decl";
+ private static final String F_EXTERNAL_GENERAL_ENTITIES =
+ "http://xml.org/sax/features/external-general-entities";
+ private static final String F_EXTERNAL_PARAMETER_ENTITIES =
+ "http://xml.org/sax/features/external-parameter-entities";
+ private static final String F_LOAD_EXTERNAL_DTD =
+ "http://apache.org/xml/features/nonvalidating/load-external-dtd";
+
+
/**
* 隠しコンストラクタ。
*/
factory.setNamespaceAware(true);
factory.setValidating(false);
factory.setXIncludeAware(false);
-// factory.setFeature(name, value);
+
+ try{
+ factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+ factory.setFeature(F_DISALLOW_DOCTYPE_DECL, true);
+ factory.setFeature(F_EXTERNAL_GENERAL_ENTITIES, false);
+ factory.setFeature(F_EXTERNAL_PARAMETER_ENTITIES, false);
+ factory.setFeature(F_LOAD_EXTERNAL_DTD, false);
+ }catch( ParserConfigurationException
+ | SAXNotRecognizedException
+ | SAXNotSupportedException e
+ ){
+ assert false;
+ throw new AssertionError(e);
+ }
factory.setSchema(schema);
throw new AssertionError(e);
}
-// parser.setProperty(name, value);
+ try{
+ parser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ parser.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
+ }catch(SAXNotRecognizedException | SAXNotSupportedException e){
+ assert false;
+ throw new AssertionError(e);
+ }
return parser;
}