Class DefaultSafeXmlParserFactory
java.lang.Object
com.itextpdf.kernel.utils.DefaultSafeXmlParserFactory
- All Implemented Interfaces:
IXmlParserFactory
Implementation of
IXmlParserFactory for creating safe xml parser objects.
Creates parsers with configuration to prevent XML bombs and XXE attacks.-
Nested Class Summary
Nested ClassesModifier and TypeClassDescriptionprivate static class -
Field Summary
FieldsModifier and TypeFieldDescriptionprivate static final StringFeature for disallowing DOCTYPE declaration.private static final StringIf you can't disable DOCTYPE declarations, then at least disable external entities.private static final StringMust be used with theEXTERNAL_GENERAL_ENTITIES, otherwise has no effect.private static final StringDisable external DTDs.private static final org.slf4j.Logger -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionprotected voidConfigures document builder factory to make it secure against xml attacks.protected voidConfigures SAX parser factory to make it secure against xml attacks.protected voidConfigures transformer factory to make it secure against xml attacks.protected DocumentBuilderFactoryCreates a document builder factory implementation.createDocumentBuilderInstance(boolean namespaceAware, boolean ignoringComments) Creates the instance of theDocumentBuilder.protected SAXParserFactoryCreates a SAX parser factory implementation.Creates the instance of theTransformer.createXMLReaderInstance(boolean namespaceAware, boolean validating) Creates the instance of theXMLReader.private voidtryToSetFeature(DocumentBuilderFactory factory, String feature, boolean value) private voidtryToSetFeature(SAXParserFactory factory, String feature, boolean value)
-
Field Details
-
LOGGER
private static final org.slf4j.Logger LOGGER -
DISALLOW_DOCTYPE_DECL
Feature for disallowing DOCTYPE declaration.Xerces 2 only - http://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl
- See Also:
-
EXTERNAL_GENERAL_ENTITIES
If you can't disable DOCTYPE declarations, then at least disable external entities. Must be used with theEXTERNAL_PARAMETER_ENTITIES, otherwise has no effect.Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-general-entities Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-general-entities JDK7+ - http://xml.org/sax/features/external-general-entities
- See Also:
-
EXTERNAL_PARAMETER_ENTITIES
Must be used with theEXTERNAL_GENERAL_ENTITIES, otherwise has no effect.Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-parameter-entities Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-parameter-entities JDK7+ - http://xml.org/sax/features/external-parameter-entities
- See Also:
-
LOAD_EXTERNAL_DTD
-
-
Constructor Details
-
DefaultSafeXmlParserFactory
public DefaultSafeXmlParserFactory()Creates instance ofDefaultSafeXmlParserFactory.
-
-
Method Details
-
createDocumentBuilderInstance
public DocumentBuilder createDocumentBuilderInstance(boolean namespaceAware, boolean ignoringComments) Description copied from interface:IXmlParserFactoryCreates the instance of theDocumentBuilder.- Specified by:
createDocumentBuilderInstancein interfaceIXmlParserFactory- Parameters:
namespaceAware- specifies whether the parser should be namespace awareignoringComments- specifies whether the parser should ignore comments- Returns:
- instance of the
DocumentBuilder
-
createXMLReaderInstance
Description copied from interface:IXmlParserFactoryCreates the instance of theXMLReader.- Specified by:
createXMLReaderInstancein interfaceIXmlParserFactory- Parameters:
namespaceAware- specifies whether the parser should be namespace awarevalidating- specifies whether the parser should validate documents as they are parsed- Returns:
- instance of the
XMLReader
-
createTransformerInstance
Description copied from interface:IXmlParserFactoryCreates the instance of theTransformer.- Specified by:
createTransformerInstancein interfaceIXmlParserFactory- Returns:
- instance of the
Transformer
-
createDocumentBuilderFactory
Creates a document builder factory implementation.- Returns:
- result of
DocumentBuilderFactory.newInstance()call
-
createSAXParserFactory
Creates a SAX parser factory implementation.- Returns:
- result of
SAXParserFactory.newInstance()call
-
configureSafeDocumentBuilderFactory
Configures document builder factory to make it secure against xml attacks.- Parameters:
factory-DocumentBuilderFactoryinstance to be configured
-
configureSafeSAXParserFactory
Configures SAX parser factory to make it secure against xml attacks.- Parameters:
factory-SAXParserFactoryinstance to be configured
-
configureSafeTransformerFactory
Configures transformer factory to make it secure against xml attacks.- Parameters:
factory-TransformerFactoryinstance to be configured
-
tryToSetFeature
-
tryToSetFeature
-