#28 Disable downloading external resources with DocumentHelper.parseT…

…ext() helper.
dom4j · Jul 1, 2018 · 8f6a7f6 · 8f6a7f6
1 parent 983701f
commit 8f6a7f6
Show file tree

Hide file tree

Showing 4 changed files with 35 additions and 19 deletions.
diff --git a/.idea/modules/dom4j_main.iml b/.idea/modules/dom4j_main.iml
diff --git a/.idea/modules/dom4j_test.iml b/.idea/modules/dom4j_test.iml
diff --git a/build.gradle b/build.gradle
@@ -19,17 +19,16 @@ repositories {
 
 dependencies {
 
-    compileOnly(
+    implementation(
             'jaxen:jaxen:1.1.6',
             'javax.xml.stream:stax-api:1.0-2',
             'net.java.dev.msv:xsdlib:2013.6.1',
-            'xpp3:xpp3:1.1.4c',
-            'pull-parser:pull-parser:2',
             'javax.xml.bind:jaxb-api:2.2.12',
+            'pull-parser:pull-parser:2',
+            'xpp3:xpp3:1.1.4c',
     )
 
-
-    testCompile(
+    testImplementation(
             'org.testng:testng:6.8.21',
 
             'xerces:xercesImpl:2.11.0',
@@ -89,6 +88,12 @@ publishing {
                     developerConnection = 'scm:git:git@github.com:dom4j/dom4j.git'
                     url = 'git@github.com:dom4j/dom4j.git'
                 }
+
+                withXml {
+                    asNode().dependencies.dependency.findAll { xmlDep ->
+                        xmlDep.appendNode('optional').value = 'true'
+                    }
+                }
             }
         }
     }

diff --git a/src/main/java/org/dom4j/DocumentHelper.java b/src/main/java/org/dom4j/DocumentHelper.java
@@ -18,6 +18,7 @@
 import org.jaxen.VariableContext;
 
 import org.xml.sax.InputSource;
+import org.xml.sax.SAXException;
 
 /**
  * <code>DocumentHelper</code> is a collection of helper methods for using
@@ -256,6 +257,8 @@ public static void sort(List<Node> list, String expression, boolean distinct) {
      * <code>parseText</code> parses the given text as an XML document and
      * returns the newly created Document.
      * </p>
+     *
+     * Loading external DTD and entities is disabled (if it is possible) for security reasons.
      * 
      * @param text
      *            the XML text to be parsed
@@ -267,6 +270,14 @@ public static void sort(List<Node> list, String expression, boolean distinct) {
      */
     public static Document parseText(String text) throws DocumentException {
         SAXReader reader = new SAXReader();
+        try {
+            reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+            reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
+            reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+        } catch (SAXException e) {
+            //Parse with external resources downloading allowed.
+        }
+
         String encoding = getEncoding(text);
 
         InputSource source = new InputSource(new StringReader(text));