XmlEventDecoder uses common defensive XMLInputFactory (now in StaxUtils)
Issue: SPR-15797
This commit is contained in:
@@ -20,6 +20,8 @@ import java.util.List;
|
||||
import javax.xml.stream.XMLEventFactory;
|
||||
import javax.xml.stream.XMLEventReader;
|
||||
import javax.xml.stream.XMLEventWriter;
|
||||
import javax.xml.stream.XMLInputFactory;
|
||||
import javax.xml.stream.XMLResolver;
|
||||
import javax.xml.stream.XMLStreamException;
|
||||
import javax.xml.stream.XMLStreamReader;
|
||||
import javax.xml.stream.XMLStreamWriter;
|
||||
@@ -33,13 +35,15 @@ import org.xml.sax.ContentHandler;
|
||||
import org.xml.sax.XMLReader;
|
||||
|
||||
import org.springframework.lang.Nullable;
|
||||
import org.springframework.util.StreamUtils;
|
||||
|
||||
/**
|
||||
* Convenience methods for working with the StAX API. Partly historic due to JAXP 1.3 compatibility;
|
||||
* as of Spring 4.0, relying on JAXP 1.4 as included in JDK 1.6 and higher.
|
||||
* Convenience methods for working with the StAX API. Partly historic due to JAXP 1.3
|
||||
* compatibility; as of Spring 4.0, relying on JAXP 1.4 as included in JDK 1.6 and higher.
|
||||
*
|
||||
* <p>In particular, methods for using StAX ({@code javax.xml.stream}) in combination with the TrAX API
|
||||
* ({@code javax.xml.transform}), and converting StAX readers/writers into SAX readers/handlers and vice-versa.
|
||||
* <p>In particular, methods for using StAX ({@code javax.xml.stream}) in combination with
|
||||
* the TrAX API ({@code javax.xml.transform}), and converting StAX readers/writers into SAX
|
||||
* readers/handlers and vice-versa.
|
||||
*
|
||||
* @author Arjen Poutsma
|
||||
* @author Juergen Hoeller
|
||||
@@ -47,6 +51,24 @@ import org.springframework.lang.Nullable;
|
||||
*/
|
||||
public abstract class StaxUtils {
|
||||
|
||||
private static final XMLResolver NO_OP_XML_RESOLVER =
|
||||
(publicID, systemID, base, ns) -> StreamUtils.emptyInput();
|
||||
|
||||
|
||||
/**
|
||||
* Create an {@link XMLInputFactory} with Spring's defensive setup,
|
||||
* i.e. no support for the resolution of DTDs and external entities.
|
||||
* @return a new input factory to use
|
||||
* @since 5.0
|
||||
*/
|
||||
public static XMLInputFactory createDefensiveInputFactory() {
|
||||
XMLInputFactory inputFactory = XMLInputFactory.newInstance();
|
||||
inputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
|
||||
inputFactory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
|
||||
inputFactory.setXMLResolver(NO_OP_XML_RESOLVER);
|
||||
return inputFactory;
|
||||
}
|
||||
|
||||
/**
|
||||
* Create a JAXP 1.4 {@link StAXSource} for the given {@link XMLStreamReader}.
|
||||
* @param streamReader the StAX stream reader
|
||||
@@ -57,7 +79,7 @@ public abstract class StaxUtils {
|
||||
}
|
||||
|
||||
/**
|
||||
* Create a JAXP 1.4 a {@link StAXSource} for the given {@link XMLEventReader}.
|
||||
* Create a JAXP 1.4 {@link StAXSource} for the given {@link XMLEventReader}.
|
||||
* @param eventReader the StAX event reader
|
||||
* @return a source wrapping the {@code eventReader}
|
||||
*/
|
||||
|
||||
Reference in New Issue
Block a user