diff --git a/src/org/jitsi/impl/configuration/xml/XMLConfigurationStore.java b/src/org/jitsi/impl/configuration/xml/XMLConfigurationStore.java
index 4a9b77e451a07376bf86505ee2858fefa7c81165..0c1a131c318a8d31a896453c051973cff9a6b94d 100644
--- a/src/org/jitsi/impl/configuration/xml/XMLConfigurationStore.java
+++ b/src/org/jitsi/impl/configuration/xml/XMLConfigurationStore.java
@@ -177,12 +177,12 @@ public boolean isSystemProperty(String propertyName)
*/
private Map<String, Object> loadConfiguration(File file)
throws IOException,
- XMLException
+ XMLException
{
try
{
- DocumentBuilderFactory factory =
- DocumentBuilderFactory.newInstance();
+ DocumentBuilderFactory factory
+ = XMLUtils.newDocumentBuilderFactory();
DocumentBuilder builder = factory.newDocumentBuilder();
Map<String, Object> props = new Hashtable<String, Object>();
diff --git a/src/org/jitsi/util/xml/XMLUtils.java b/src/org/jitsi/util/xml/XMLUtils.java
index 32ae9e293688cad8c401786a63ca47d85438a39c..efac33d64575826c47a432cdd1b45fb49da11602 100644
--- a/src/org/jitsi/util/xml/XMLUtils.java
+++ b/src/org/jitsi/util/xml/XMLUtils.java
@@ -34,6 +34,38 @@
*/
public class XMLUtils
{
+ /**
+ * The string identifying the <tt>DocumentBuilderFactory</tt>feature which
+ * controls whether inclusion of external general entities is allowed.
+ * See
+ * {@link "http://xerces.apache.org/xerces-j/features.html#external-general-entities"}
+ * and
+ * {@link "http://xerces.apache.org/xerces2-j/features.html#external-general-entities"}
+ */
+ private static final String FEATURE_EXTERNAL_GENERAL_ENTITIES
+ = "http://xml.org/sax/features/external-general-entities";
+
+ /**
+ * The string identifying the <tt>DocumentBuilderFactory</tt>feature which
+ * controls whether inclusion of external parameter entities is allowed.
+ * See
+ * {@link "http://xerces.apache.org/xerces-j/features.html#external-parameter-entities"}
+ * and
+ * {@link "http://xerces.apache.org/xerces2-j/features.html#external-parameter-entities"}
+ */
+ private static final String FEATURE_EXTERNAL_PARAMETER_ENTITIES
+ = "http://xml.org/sax/features/external-parameter-entities";
+
+
+ /**
+ * The string identifying the <tt>DocumentBuilderFactory</tt>feature which
+ * controls whether DOCTYPE declaration is allowed.
+ * See
+ * {@link "http://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl"}
+ */
+ private static final String FEATURE_DISSALLOW_DOCTYPE
+ = "http://apache.org/xml/features/disallow-doctype-decl";
+
/**
* The <tt>Logger</tt> used by the <tt>XMLUtils</tt> class for logging
* output.
@@ -657,15 +689,19 @@ public static Document createDocument()
* Creates W3C Document from the xml.
*
* @param xml the xml that needs to be converted.
+ * @param allowExternalEntities whether parsing of XML external entities
+ * and DOCTYPE declarations should be allowed.
* @return the W3C Document.
* @throws Exception is there is some error during operation.
*/
- public static Document createDocument(String xml)
+ public static Document createDocument(String xml,
+ boolean allowExternalEntities)
throws Exception
{
- DocumentBuilderFactory builderFactory =
- DocumentBuilderFactory.newInstance();
+ DocumentBuilderFactory builderFactory
+ = newDocumentBuilderFactory(allowExternalEntities);
builderFactory.setNamespaceAware(true);
+
DocumentBuilder documentBuilder = builderFactory.newDocumentBuilder();
if (!isNullOrEmpty(xml))
{
@@ -678,6 +714,19 @@ public static Document createDocument(String xml)
}
}
+ /**
+ * Creates W3C Document from the xml.
+ *
+ * @param xml the xml that needs to be converted.
+ * @return the W3C Document.
+ * @throws Exception is there is some error during operation.
+ */
+ public static Document createDocument(String xml)
+ throws Exception
+ {
+ return createDocument(xml, false);
+ }
+
/**
* Creates XML from W3C Document from the xml.
*
@@ -698,4 +747,49 @@ public static String createXml(Document document)
return stringWriter.toString();
}
+ /**
+ * Creates and returns a new <tt>DocumentBuilderFactory</tt> instance, and
+ * sets the default set of features.
+ * @return the created factory
+ * @throws ParserConfigurationException if setting a feature fails.
+ */
+ public static DocumentBuilderFactory newDocumentBuilderFactory()
+ throws ParserConfigurationException
+ {
+ return newDocumentBuilderFactory(false);
+ }
+
+ /**
+ * Creates and returns a new <tt>DocumentBuilderFactory</tt> instance, and
+ * sets the default set of features.
+ *
+ * @param allowExternalEntities whether parsing of XML external entities
+ * and DOCTYPE declarations should be allowed.
+ * @return the created factory
+ * @throws ParserConfigurationException if setting a feature fails.
+ */
+ public static DocumentBuilderFactory newDocumentBuilderFactory(
+ boolean allowExternalEntities)
+ throws ParserConfigurationException
+ {
+ DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ if (!allowExternalEntities)
+ disableExternalEntities(factory);
+ return factory;
+ }
+
+ /**
+ * Tries to set the features which disable inclusion of XML external
+ * entities and DOCTYPE declarations.
+ * @param factory the factory
+ * @throws javax.xml.parsers.ParserConfigurationException if setting any
+ * of the features fails.
+ */
+ public static void disableExternalEntities(DocumentBuilderFactory factory)
+ throws ParserConfigurationException
+ {
+ factory.setFeature(FEATURE_EXTERNAL_GENERAL_ENTITIES, false);
+ factory.setFeature(FEATURE_EXTERNAL_PARAMETER_ENTITIES, false);
+ factory.setFeature(FEATURE_DISSALLOW_DOCTYPE, true);
+ }
}