How to prevent XML Entity Expansion when using org.apache.xalan.processor.TransformerFactoryImpl in JBoss EAP
Issue
We need to determine how to prevent XML Entity Expansion when using org.apache.xalan.processor.TransformerFactoryImpl, when trying transformerFactory.setFeature(XMLConstants.ACCESS_EXTERNAL_DTD, false); as shown below, it fails with:
javax.xml.transform.TransformerConfigurationException: Cannot set the feature 'http://javax.xml.XMLConstants/property/accessExternalDTD' on this TransformerFactory.
at com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl.setFeature(TransformerFactoryImpl.java:526)
...
The code looks like:
TransformerFactory transformerFactory = TransformerFactory.newInstance();
transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
transformerFactory.setFeature(XMLConstants.ACCESS_EXTERNAL_DTD, false); //This is what fails
Transformer transformer = transformerFactory.newTransformer();
According to the Xerces site [ http://xerces.apache.org/xerces2-j/features.html#external-general-entities ]
I should be setting the following
transformerFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
transformerFactory.setFeature("http://xml.org/sax/features/external-general-entities",false);
transformerFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
Those features are returning an IllegalArgumentException which means they are NOT recognized. The Java XMLConstants features are also not recognized.
Environment
- Red Hat JBoss Enterprise Application Platform (EAP) 6.x
- Java API for XML Processing (JAXP)
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.