XmlEventDecoder uses common defensive XMLInputFactory (now in StaxUtils)

Issue: SPR-15797
This commit is contained in:
Juergen Hoeller
2017-07-20 13:17:27 +02:00
parent 40df7b6eca
commit e4651d6b50
5 changed files with 50 additions and 60 deletions

View File

@@ -20,6 +20,8 @@ import java.util.List;
import javax.xml.stream.XMLEventFactory;
import javax.xml.stream.XMLEventReader;
import javax.xml.stream.XMLEventWriter;
import javax.xml.stream.XMLInputFactory;
import javax.xml.stream.XMLResolver;
import javax.xml.stream.XMLStreamException;
import javax.xml.stream.XMLStreamReader;
import javax.xml.stream.XMLStreamWriter;
@@ -33,13 +35,15 @@ import org.xml.sax.ContentHandler;
import org.xml.sax.XMLReader;
import org.springframework.lang.Nullable;
import org.springframework.util.StreamUtils;
/**
* Convenience methods for working with the StAX API. Partly historic due to JAXP 1.3 compatibility;
* as of Spring 4.0, relying on JAXP 1.4 as included in JDK 1.6 and higher.
* Convenience methods for working with the StAX API. Partly historic due to JAXP 1.3
* compatibility; as of Spring 4.0, relying on JAXP 1.4 as included in JDK 1.6 and higher.
*
* <p>In particular, methods for using StAX ({@code javax.xml.stream}) in combination with the TrAX API
* ({@code javax.xml.transform}), and converting StAX readers/writers into SAX readers/handlers and vice-versa.
* <p>In particular, methods for using StAX ({@code javax.xml.stream}) in combination with
* the TrAX API ({@code javax.xml.transform}), and converting StAX readers/writers into SAX
* readers/handlers and vice-versa.
*
* @author Arjen Poutsma
* @author Juergen Hoeller
@@ -47,6 +51,24 @@ import org.springframework.lang.Nullable;
*/
public abstract class StaxUtils {
private static final XMLResolver NO_OP_XML_RESOLVER =
(publicID, systemID, base, ns) -> StreamUtils.emptyInput();
/**
* Create an {@link XMLInputFactory} with Spring's defensive setup,
* i.e. no support for the resolution of DTDs and external entities.
* @return a new input factory to use
* @since 5.0
*/
public static XMLInputFactory createDefensiveInputFactory() {
XMLInputFactory inputFactory = XMLInputFactory.newInstance();
inputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
inputFactory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
inputFactory.setXMLResolver(NO_OP_XML_RESOLVER);
return inputFactory;
}
/**
* Create a JAXP 1.4 {@link StAXSource} for the given {@link XMLStreamReader}.
* @param streamReader the StAX stream reader
@@ -57,7 +79,7 @@ public abstract class StaxUtils {
}
/**
* Create a JAXP 1.4 a {@link StAXSource} for the given {@link XMLEventReader}.
* Create a JAXP 1.4 {@link StAXSource} for the given {@link XMLEventReader}.
* @param eventReader the StAX event reader
* @return a source wrapping the {@code eventReader}
*/