in velocity-tools-generic/src/main/java/org/apache/velocity/tools/XmlUtils.java [96:148]
public static final DocumentBuilderFactory createDocumentBuilderFactory()
{
DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance();
// Namespace support is required for <os:> elements
builderFactory.setNamespaceAware(true);
// Disable various insecure and/or expensive options.
builderFactory.setValidating(false);
// Can't disable doctypes entirely because they're usually harmless. External entity
// resolution, however, is both expensive and insecure.
try
{
builderFactory.setAttribute("http://xml.org/sax/features/external-general-entities", false);
}
catch (IllegalArgumentException e)
{
// Not supported by some very old parsers.
LOGGER.info("Error parsing external general entities: ", e);
}
try
{
builderFactory.setAttribute("http://xml.org/sax/features/external-parameter-entities", false);
}
catch (IllegalArgumentException e)
{
// Not supported by some very old parsers.
LOGGER.info("Error parsing external parameter entities: ", e);
}
try
{
builderFactory.setAttribute("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
}
catch (IllegalArgumentException e)
{
// Only supported by Apache's XML parsers.
LOGGER.info("Error parsing external DTD: ", e);
}
try
{
builderFactory.setAttribute(XMLConstants.FEATURE_SECURE_PROCESSING, true);
}
catch (IllegalArgumentException e)
{
// Not supported by older parsers.
LOGGER.info("Error parsing secure XML: ", e);
}
return builderFactory;
}