如何修复Java中的“禁用XML外部实体(XXE)处理”?

时间:2019-07-15 22:04:05

标签: java sonarqube

Sonar告诉我进行以下更改:“禁用XML外部实体(XXE)处理。 有人可以帮助我解决问题。 ................. ............. 

    private Document createDocument(InputSource inputSource) {
        // important: this must only be called AFTER common constructor
        try {
            DocumentBuilderFactory factory= DocumentBuilderFactory.newInstance();

          factory.setValidating(validation);
          factory.setNamespaceAware(false);
          factory.setIgnoringComments(true);
          factory.setIgnoringElementContentWhitespace(false);
          factory.setCoalescing(false);
          factory.setExpandEntityReferences(true);

          DocumentBuilder builder = factory.newDocumentBuilder();
          builder.setEntityResolver(entityResolver);
          builder.setErrorHandler(new ErrorHandler() {
            @Override
            public void error(SAXParseException exception) throws SAXException {
              throw exception;
            }

            @Override
          public void fatalError(SAXParseException exception) throwsSAXException{    
throw exception;
          }
            @Override
          public void warning(SAXParseException exception) throws SAXException {
                // default implementation ignored
            }
          });
          return builder.parse(inputSource);
        } catch (Exception e) {
          throw new BuilderException("Error creating document instance.  Cause: " + e, e);
        }
      }

0 个答案:

没有答案
相关问题
最新问题