Disable External Entities in XmlParser (#1000)

LibrePDF · Dec 6, 2023 · 2c7b0d6 · 2c7b0d6
1 parent b8bae86
commit 2c7b0d6
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 3 deletions.
diff --git a/openpdf/src/main/java/com/lowagie/text/xml/TagMap.java b/openpdf/src/main/java/com/lowagie/text/xml/TagMap.java
@@ -99,7 +99,10 @@ public TagMap(InputStream in) {
 
     protected void init(InputStream in) {
         try {
-            SAXParser parser = SAXParserFactory.newInstance().newSAXParser();
+            SAXParserFactory factory = SAXParserFactory.newInstance();
+            factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+            factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+            SAXParser parser = factory.newSAXParser();
             parser.parse(new InputSource(in), new AttributeHandler((Map<String, XmlPeer>) this));
         } catch (Exception e) {
             throw new ExceptionConverter(e);

diff --git a/openpdf/src/main/java/com/lowagie/text/xml/XmlParser.java b/openpdf/src/main/java/com/lowagie/text/xml/XmlParser.java
@@ -79,7 +79,10 @@ public class XmlParser {
 
     public XmlParser() {
         try {
-            parser = SAXParserFactory.newInstance().newSAXParser();
+            SAXParserFactory factory = SAXParserFactory.newInstance();
+            factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+            factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+            parser = factory.newSAXParser();
         } catch (ParserConfigurationException | SAXException pce) {
             throw new ExceptionConverter(pce);
         }

diff --git a/pdf-toolbox/src/test/java/com/lowagie/examples/directcontent/pageevents/Events.java b/pdf-toolbox/src/test/java/com/lowagie/examples/directcontent/pageevents/Events.java
@@ -202,7 +202,10 @@ public static void main(String[] args) {
             writer.setPageEvent(events);
 
             // step 3: we create a parser and set the document handler
-            SAXParser parser = SAXParserFactory.newInstance().newSAXParser();
+            SAXParserFactory factory = SAXParserFactory.newInstance();
+            factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+            factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+            SAXParser parser = factory.newSAXParser();
 
             // step 4: we parse the document
             parser.parse("playRomeoJuliet.xml", new Events().getXmlHandler(document));