Do not use WebLogic servlet attributes for XML parsing

This rule detects the use of WebLogic setAttribute and getAttribute attributes for parsing XML. This rule detects the Java code. A separate rule detects the use of the WebLogic weblogic.servlet.XMLParsingHelper, which enables this feature.

The following cases are detected:
  1. All method invocations of setAttribute, where the first argument is a string literal with any of the following values:
    • org.xml.sax.helpers.DefaultHandler
    • org.xml.sax.HandlerBase
    • org.w3c.dom.Document

    Example:
    request.setAttribute("org.xml.sax.helpers.DefaultHandler", someObject)

  2. All method invocations of setAttribute, where the first argument is a reference to a string variable or a string field and that variable or field is initialized to any of the following values:
    • org.xml.sax.helpers.DefaultHandler
    • org.xml.sax.HandlerBase
    • org.w3c.dom.Document

    Example:
      String handler = "org.xml.sax.helpers.DefaultHandler";
      request.setAttribute(handler, someObject);

  3. All method invocations of getAttribute, where the argument is a string literal with any of the following values:
    • org.xml.sax.helpers.DefaultHandler
    • org.xml.sax.HandlerBase
    • org.w3c.dom.Document

    Example: Document myDocument = request.getAttribute("org.w3c.dom.Document")

  4. All method invocations of getAttribute, where the argument is a reference to a string variable or a string field and that variable or field is initialized to any of the following values:
    • org.xml.sax.helpers.DefaultHandler
    • org.xml.sax.HandlerBase
    • org.w3c.dom.Document

    Example:
      String handler = "org.w3c.dom.Document";
      Document myDoc = request.getAttribute(handler);


A quick fix for this rule is available in the source scanner. Depending on how the code is structured, the quick fix offers any of the following options:
  1. Delete the method call.

    Examples:
      request.setAttribute("org.xml.sax.helpers.DefaultHandler", myHandler);
      request.getAttribute("org.w3c.dom.Document");
    When the quick fix is applied to the previous lines, those lines are deleted.
    Note: Verify that the object, myHandler, is initialized in other ways if it is used within the code later.

  2. Delete the variable initializer section.

    Examples:
      Document myDocument = request.getAttribute("org.w3c.dom.Document");
    When the quick fix is applied, the previous code is changed to:
      Document myDocument;
    Note: Verify that the object, myDocument, is initialized in other ways if it is used within the code later.