Package com.itextpdf.kernel.utils

Class DefaultSafeXmlParserFactory

  • All Implemented Interfaces:
    IXmlParserFactory
    public class DefaultSafeXmlParserFactory
extends java.lang.Object
implements IXmlParserFactory
    Implementation of IXmlParserFactory for creating safe xml parser objects. Creates parsers with configuration to prevent XML bombs and XXE attacks.

    • Field Detail

      • LOGGER

        private static final org.slf4j.Logger LOGGER

      • DISALLOW_DOCTYPE_DECL

        private static final java.lang.String DISALLOW_DOCTYPE_DECL
        Feature for disallowing DOCTYPE declaration.

        Xerces 2 only - http://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl

        See Also:
        Constant Field Values

      • EXTERNAL_GENERAL_ENTITIES

        private static final java.lang.String EXTERNAL_GENERAL_ENTITIES
        If you can't disable DOCTYPE declarations, then at least disable external entities. Must be used with the EXTERNAL_PARAMETER_ENTITIES, otherwise has no effect.

        Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-general-entities Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-general-entities JDK7+ - http://xml.org/sax/features/external-general-entities

        See Also:
        Constant Field Values

      • EXTERNAL_PARAMETER_ENTITIES

        private static final java.lang.String EXTERNAL_PARAMETER_ENTITIES
        Must be used with the EXTERNAL_GENERAL_ENTITIES, otherwise has no effect.

        Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-parameter-entities Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-parameter-entities JDK7+ - http://xml.org/sax/features/external-parameter-entities

        See Also:
        Constant Field Values

      • LOAD_EXTERNAL_DTD

        private static final java.lang.String LOAD_EXTERNAL_DTD
        Disable external DTDs.
        See Also:
        Constant Field Values

    • Method Detail

      • createDocumentBuilderInstance

        public javax.xml.parsers.DocumentBuilder createDocumentBuilderInstance​(boolean namespaceAware,
                                                                       boolean ignoringComments)
        Description copied from interface: IXmlParserFactory
        Creates the instance of the DocumentBuilder.
        Specified by:
        createDocumentBuilderInstance in interface IXmlParserFactory
        Parameters:
        namespaceAware - specifies whether the parser should be namespace aware
        ignoringComments - specifies whether the parser should ignore comments
        Returns:
        instance of the DocumentBuilder

      • createXMLReaderInstance

        public org.xml.sax.XMLReader createXMLReaderInstance​(boolean namespaceAware,
                                                     boolean validating)
        Description copied from interface: IXmlParserFactory
        Creates the instance of the XMLReader.
        Specified by:
        createXMLReaderInstance in interface IXmlParserFactory
        Parameters:
        namespaceAware - specifies whether the parser should be namespace aware
        validating - specifies whether the parser should validate documents as they are parsed
        Returns:
        instance of the XMLReader

      • createTransformerInstance

        public javax.xml.transform.Transformer createTransformerInstance()
        Description copied from interface: IXmlParserFactory
        Creates the instance of the Transformer.
        Specified by:
        createTransformerInstance in interface IXmlParserFactory
        Returns:
        instance of the Transformer

      • createDocumentBuilderFactory

        protected javax.xml.parsers.DocumentBuilderFactory createDocumentBuilderFactory()
        Creates a document builder factory implementation.
        Returns:
        result of DocumentBuilderFactory.newInstance() call

      • createSAXParserFactory

        protected javax.xml.parsers.SAXParserFactory createSAXParserFactory()
        Creates a SAX parser factory implementation.
        Returns:
        result of SAXParserFactory.newInstance() call

      • configureSafeDocumentBuilderFactory

        protected void configureSafeDocumentBuilderFactory​(javax.xml.parsers.DocumentBuilderFactory factory)
        Configures document builder factory to make it secure against xml attacks.
        Parameters:
        factory - DocumentBuilderFactory instance to be configured

      • configureSafeSAXParserFactory

        protected void configureSafeSAXParserFactory​(javax.xml.parsers.SAXParserFactory factory)
        Configures SAX parser factory to make it secure against xml attacks.
        Parameters:
        factory - SAXParserFactory instance to be configured

      • configureSafeTransformerFactory

        protected void configureSafeTransformerFactory​(javax.xml.transform.TransformerFactory factory)
        Configures transformer factory to make it secure against xml attacks.
        Parameters:
        factory - TransformerFactory instance to be configured

      • tryToSetFeature

        private void tryToSetFeature​(javax.xml.parsers.DocumentBuilderFactory factory,
                             java.lang.String feature,
                             boolean value)

      • tryToSetFeature

        private void tryToSetFeature​(javax.xml.parsers.SAXParserFactory factory,
                             java.lang.String feature,
                             boolean value)