Merge pull request #438 from Flowdalic/stax-disable-xxe-and-dtd

[xmlparser-stax] Disable external entities and DTD
4.4
Florian Schmaus 2 years ago committed by GitHub
commit 28dd56a13a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
  1. 5
      smack-xmlparser-stax/src/main/java/org/jivesoftware/smack/xml/stax/StaxXmlPullParserFactory.java

@ -1,6 +1,6 @@
/**
*
* Copyright 2019 Florian Schmaus
* Copyright 2020-2020 Florian Schmaus
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -34,7 +34,10 @@ public class StaxXmlPullParserFactory implements XmlPullParserFactory {
// getText().
xmlInputFactory.setProperty(XMLInputFactory.IS_COALESCING, true);
// Internal and external entity references are prohibited in XMPP (RFC 6120 § 11.1).
xmlInputFactory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
xmlInputFactory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES, false);
// We don't need to support DTDs in XMPP.
xmlInputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
}
@Override

Loading…
Cancel
Save