Package com.day.cq.dam.commons.xml

Interface SecureDocumentBuilderFactory

All Known Implementing Classes:
DocumentBuilderFactoryProvider
public interface SecureDocumentBuilderFactory
Interface to provide safe DocumentBuilderFactory instance which is susceptible to XXE/XEE attacks. Following XML parsing related vulnerabilities were detected in SAXReader objects in apache POI. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3574 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3529 This interface id for internal use only.

  • Method Details

    • createSecureBuilderFactory

      DocumentBuilderFactory createSecureBuilderFactory(Boolean setNamespaceAware) throws ParserConfigurationException
      Invoked when a new instance of DocumentBuilderFactory is required.
      Parameters:
      setNamespaceAware - Whether to set NamespaceAware configuration for DocumentBuilderFactory to true or not.
      Returns:
      A new instance of DocumentBuilderFactory.
      Throws:
      ParserConfigurationException - If a DocumentBuilder cannot be created which satisfies the configuration requested. Following configurations has been added factory.setNamespaceAware(true); factory.setValidating(true); factory.setExpandEntityReferences(false); factory.setFeature("http://xml.org/sax/features/validation", true); // do not include external general entities factory.setFeature("http://xml.org/sax/features/external-general-entities", false); // do not include external parameter entities or the external DTD subset factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); // build the grammar but do not use the default attributes and attribute types information it contains factory.setFeature("http://apache.org/xml/features/nonvalidating/load-dtd-grammar", false); // ignore the external DTD completely factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);