我正在尝试更新现有方法以避免XXE攻击。以下是现有方法:
private String xmlToString(final Node node) {
try {
final Source source = new DOMSource(node);
final StringWriter stringWriter = new StringWriter();
final Result result = new StreamResult(stringWriter);
final TransformerFactory factory = TransformerFactory.newInstance();
final Transformer transformer = factory.newTransformer();
transformer.transform(source, result);
return stringWriter.getBuffer().toString();
} catch (final TransformerConfigurationException e) {
LOG.error("Unable to convert XML node to string", e);
} catch (final TransformerException e) {
LOG.error("Unable to convert XML node to string", e);
}
return null;
}
以下是我的修改:
private String xmlToString(final Node node) {
try {
DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
documentBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
documentBuilderFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
documentBuilderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
documentBuilderFactory.setNamespaceAware(true);
DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder();
Document document = documentBuilder.newDocument();
Node importedNode = document.importNode(node, true);
document.appendChild(importedNode);
final Source source = new DOMSource(document);
final StringWriter stringWriter = new StringWriter();
final Result result = new StreamResult(stringWriter);
final TransformerFactory factory = TransformerFactory.newInstance();
//factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
final Transformer transformer = factory.newTransformer();
transformer.transform(source, result);
return stringWriter.getBuffer().toString();
} catch (final TransformerConfigurationException e) {
LOG.error("Unable to convert XML node to string", e);
} catch (final TransformerException e) {
LOG.error("Unable to convert XML node to string", e);
} catch (ParserConfigurationException e) {
LOG.error("Unable to convert XML node to string", e);
}
return null;
}
我最初为setFeature(注释的代码行)添加了TransformerFactory属性,并看到以下错误:
java.lang.UnsupportedOperationException: This class does not support JDK1.5
at weblogic.xml.jaxp.RegistryTransformerFactory.setFeature(RegistryTransformerFactory.java:317)
然后我决定将DocumentBuilderFactory添加到方法并将节点转换为文档。我看到this link并更新了我的方法。
但是,我看到以下错误:
org.w3c.dom.DOMException: NOT_SUPPORTED_ERR: The implementation does not support the requested type of object or operation.
at org.apache.xerces.dom.CoreDocumentImpl.importNode(Unknown Source)
at org.apache.xerces.dom.CoreDocumentImpl.importNode(Unknown Source)
有人可以帮我纠正这个问题。
谢谢,
NN。