diff --git a/spring-core/src/main/java/org/springframework/util/xml/StaxUtils.java b/spring-core/src/main/java/org/springframework/util/xml/StaxUtils.java index daca1a82a3..6f9b06cc56 100644 --- a/spring-core/src/main/java/org/springframework/util/xml/StaxUtils.java +++ b/spring-core/src/main/java/org/springframework/util/xml/StaxUtils.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2018 the original author or authors. + * Copyright 2002-2019 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -17,6 +17,7 @@ package org.springframework.util.xml; import java.util.List; +import java.util.function.Supplier; import javax.xml.stream.XMLEventFactory; import javax.xml.stream.XMLEventReader; import javax.xml.stream.XMLEventWriter; @@ -58,11 +59,21 @@ public abstract class StaxUtils { /** * Create an {@link XMLInputFactory} with Spring's defensive setup, * i.e. no support for the resolution of DTDs and external entities. - * @return a new input factory to use + * @return a new defensively initialized input factory instance to use * @since 5.0 */ public static XMLInputFactory createDefensiveInputFactory() { - XMLInputFactory inputFactory = XMLInputFactory.newInstance(); + return createDefensiveInputFactory(XMLInputFactory::newFactory); + } + + /** + * Variant of {@link #createDefensiveInputFactory()} with a custom instance. + * @param instanceSupplier supplier for the input factory instance + * @return a new defensively initialized input factory instance to use + * @since 5.0.12 + */ + public static T createDefensiveInputFactory(Supplier instanceSupplier) { + T inputFactory = instanceSupplier.get(); inputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false); inputFactory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false); inputFactory.setXMLResolver(NO_OP_XML_RESOLVER); diff --git a/spring-web/src/main/java/org/springframework/http/codec/xml/XmlEventDecoder.java b/spring-web/src/main/java/org/springframework/http/codec/xml/XmlEventDecoder.java index 4971353b99..6213fc080b 100644 --- a/spring-web/src/main/java/org/springframework/http/codec/xml/XmlEventDecoder.java +++ b/spring-web/src/main/java/org/springframework/http/codec/xml/XmlEventDecoder.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2018 the original author or authors. + * Copyright 2002-2019 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -127,13 +127,15 @@ public class XmlEventDecoder extends AbstractDecoder { */ private static class AaltoDataBufferToXmlEvent implements Function> { - private static final AsyncXMLInputFactory inputFactory = new InputFactoryImpl(); + private static final AsyncXMLInputFactory inputFactory = + StaxUtils.createDefensiveInputFactory(InputFactoryImpl::new); private final AsyncXMLStreamReader streamReader = inputFactory.createAsyncForByteBuffer(); private final XMLEventAllocator eventAllocator = EventAllocatorImpl.getDefaultInstance(); + @Override public Publisher apply(DataBuffer dataBuffer) { try {