Changeset 16560 in josm


Ignore:
Timestamp:
2020-06-07T17:19:38+02:00 (5 years ago)
Author:
simon04
Message:

fix #19286 - External entities are resolved when parsing tagging presets (patch by hiddewie, modified)

Location:
trunk
Files:
3 added
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/org/openstreetmap/josm/tools/XmlUtils.java

    r16436 r16560  
    3535 */
    3636public final class XmlUtils {
     37
     38    private static final String FEATURE_DISALLOW_DOCTYPE_DECL = "http://apache.org/xml/features/disallow-doctype-decl";
    3739
    3840    private XmlUtils() {
     
    101103        SAXParserFactory parserFactory = SAXParserFactory.newInstance();
    102104        parserFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
     105        parserFactory.setFeature(FEATURE_DISALLOW_DOCTYPE_DECL, true);
    103106        parserFactory.setNamespaceAware(true);
    104107        return parserFactory.newSAXParser();
  • trunk/test/unit/org/openstreetmap/josm/gui/tagging/presets/TaggingPresetReaderTest.java

    r14138 r16560  
    66import static org.junit.Assert.assertThat;
    77import static org.junit.Assert.assertTrue;
     8import static org.junit.Assert.fail;
    89
    910import java.io.IOException;
     
    6768
    6869    /**
     70     * Test external entity resolving.
     71     * See #19286
     72     */
     73    @Test
     74    public void testExternalEntityResolving() throws IOException {
     75        try {
     76            TaggingPresetReader.readAll(TestUtils.getTestDataRoot() + "preset_external_entity.xml", true);
     77            fail("Reading a file with external entities should throw an SAXParseException!");
     78        } catch (SAXException e) {
     79            String expected = "DOCTYPE is disallowed when the feature \"http://apache.org/xml/features/disallow-doctype-decl\" set to true.";
     80            assertEquals(expected, e.getMessage());
     81        }
     82    }
     83
     84    /**
    6985     * Validate internal presets
    7086     * See #9027
Note: See TracChangeset for help on using the changeset viewer.