来自Web服务的响应XML中的XML数据注入

时间:2012-07-03 13:14:14

标签: java xml owasp esapi

我需要为XML数据注入修复下面的代码。

DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
DocumentBuilder db = factory.newDocumentBuilder();
InputSource inStream = new InputSource();
inStream.setCharacterStream(new StringReader(xmlFromWebService));
Document doc = db.parse(inStream);   // reported at this line by a code audit tool
doc.getDocumentElement().normalize();

如何解决?有没有人有任何建议。

1 个答案:

答案 0 :(得分:1)

我猜这与根据给定的XSD验证XML有关,以防止XML数据注入。我建议修改你的代码:

try {
  DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
  factory.setNamespaceAware( true);
  factory.setValidating( true);

  factory.setProperty( "http://java.sun.com/xml/jaxp/properties/schemaLanguage", 
                       "http://www.w3.org/2001/XMLSchema");
  factory.setProperty( "http://java.sun.com/xml/jaxp/properties/schemaSource", 
                       "file:<your_xsd_file>");

  DocumentBuilder builder = factory.newDocumentBuilder();
  InputSource inStream = new InputSource();
  inStream.setCharacterStream(new StringReader(xmlFromWebService));
  Document document = builder.parse(inStream);

} catch ( ParserConfigurationException e) {
  e.printStackTrace();
} catch ( SAXException e) {
  e.printStackTrace();
} catch ( IOException e) {
  e.printStackTrace();
}

我希望你得到提示!

相关问题
最新问题