Skip to content

Commit

Permalink
Merge pull request #706 from goldmansachs/xml-security
Browse files Browse the repository at this point in the history 
Disable access to external entities in XML parsing
  • Loading branch information
@opatrascoiu
opatrascoiu committed Sep 9, 2024
2 parents 1bf376d + 83b70d9 commit e64addd
Showing 1 changed file with 1 addition and 3 deletions.
4 changes: 1 addition & 3 deletions dmn-core/src/main/java/com/gs/dmn/serialization/jackson/NSElementSerializer.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,10 +28,8 @@ public void serialize(NSElement element, JsonGenerator gen, SerializerProvider s
private static String toXml(Element element) {
try {
TransformerFactory factory = TransformerFactory.newInstance();
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
StringWriter writer = new StringWriter();
Transformer transformer = factory.newTransformer();
transformer.transform(new DOMSource(element), new StreamResult(writer));
Expand Down

0 comments on commit e64addd

Please sign in to comment.