How to prevent XML Entity Expansion when using org.apache.xalan.processor.TransformerFactoryImpl in JBoss EAP

Solution Verified - Updated -

Issue

We need to determine how to prevent XML Entity Expansion when using org.apache.xalan.processor.TransformerFactoryImpl, when trying transformerFactory.setFeature(XMLConstants.ACCESS_EXTERNAL_DTD, false); as shown below, it fails with:

javax.xml.transform.TransformerConfigurationException: Cannot set the feature 'http://javax.xml.XMLConstants/property/accessExternalDTD' on this TransformerFactory.
    at com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl.setFeature(TransformerFactoryImpl.java:526)
    ...

The code looks like:

TransformerFactory transformerFactory = TransformerFactory.newInstance();
transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);                     
transformerFactory.setFeature(XMLConstants.ACCESS_EXTERNAL_DTD, false);  //This is what fails   
Transformer transformer = transformerFactory.newTransformer();

According to the Xerces site:

I should be setting the following

transformerFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
transformerFactory.setFeature("http://xml.org/sax/features/external-general-entities",false);
transformerFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);

Those features are returning an IllegalArgumentException which means they are NOT recognized. The Java XMLConstants features are also not recognized.

Environment

  • Red Hat JBoss Enterprise Application Platform (EAP) 6.x
  • Java API for XML Processing (JAXP)

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In