Secure SAXParser (#47)

project-openubl · Dec 17, 2022 · 615a463 · 615a463
1 parent 200d673
commit 615a463
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/core/src/main/java/io/github/project/openubl/xsender/files/xml/XmlContentProvider.java b/core/src/main/java/io/github/project/openubl/xsender/files/xml/XmlContentProvider.java
@@ -36,10 +36,12 @@ public static XmlContent getSunatDocument(InputStream is) throws ParserConfigura
         XmlHandler handler = new XmlHandler();
 
         SAXParserFactory factory = SAXParserFactory.newInstance();
+        factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
         factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
         factory.setNamespaceAware(true);
 
         SAXParser parser = factory.newSAXParser();
+        parser.getXMLReader().setFeature("http://xml.org/sax/features/external-general-entities", false);
         parser.parse(is, handler);
 
         return handler.getModel();