当我使用fortify工具进行扫描时,我在“XML外部实体注入”下遇到了一些问题。
TransformerFactory trfactory = TransformerFactory.newInstance();
这是显示错误的地方。我已按照fortify的建议给出了以下修复
trfactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
trfactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
但问题仍然没有解决。如何解决这个问题?
答案 0 :(得分:1)
如果java版本不兼容,有时它将无效。
if (javaVersion > 1.6) {
dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
}
else {
if (javaVersion > 1.5) {
dbf.setFeature("http://xerces.apache.org/xerces2-j/features.html#external-general-entities", false);
dbf.setFeature("http://xerces.apache.org/xerces2-j/features.html#external-parameter-entities", false);
}
else {
dbf.setFeature("http://xerces.apache.org/xerces-j/features.html#external-general-entities", false);
dbf.setFeature("http://xerces.apache.org/xerces-j/features.html#external-parameter-entities", false);
}
}
它对我有用: - )
答案 1 :(得分:1)
TransformerFactory trfactory = TransformerFactory.newInstance();
trfactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
trfactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
trfactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
这就足够了。
答案 2 :(得分:0)
我试过" Xalan"实现类而不是TransformerFactory.newInstance()。它对我有用,强化问题得到修复
TransformerFactoryImpl transformerFactoryImpl = new TransformerFactoryImpl();
Transformer transformer = transformerFactoryImpl.newTransformer();
答案 3 :(得分:0)
您也可以尝试:
TransformerFactoryImpl transformerFactoryImpl = new TransformerFactoryImpl();
Transformer transformer = transformerFactoryImpl.newTransformer();
transformer.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
答案 4 :(得分:0)
添加此行。它为我工作。
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);