Defensive initialization of AsyncXMLInputFactory
Aalto's InputFactoryImpl already disables loading of external entities by default (property "javax.xml.stream.isSupportingExternalEntities"). This commit goes further by applying the same defensive measures as we do elsewhere for XMLInputFactory, which disables DTD completely. Arguably there is no good reason to enable that by default in WebFlux.
This commit is contained in:
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2018 the original author or authors.
|
||||
* Copyright 2002-2019 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -127,13 +127,15 @@ public class XmlEventDecoder extends AbstractDecoder<XMLEvent> {
|
||||
*/
|
||||
private static class AaltoDataBufferToXmlEvent implements Function<DataBuffer, Publisher<? extends XMLEvent>> {
|
||||
|
||||
private static final AsyncXMLInputFactory inputFactory = new InputFactoryImpl();
|
||||
private static final AsyncXMLInputFactory inputFactory =
|
||||
StaxUtils.createDefensiveInputFactory(InputFactoryImpl::new);
|
||||
|
||||
private final AsyncXMLStreamReader<AsyncByteBufferFeeder> streamReader =
|
||||
inputFactory.createAsyncForByteBuffer();
|
||||
|
||||
private final XMLEventAllocator eventAllocator = EventAllocatorImpl.getDefaultInstance();
|
||||
|
||||
|
||||
@Override
|
||||
public Publisher<? extends XMLEvent> apply(DataBuffer dataBuffer) {
|
||||
try {
|
||||
|
||||
Reference in New Issue
Block a user