Index: trunk/src/org/openstreetmap/josm/gui/download/PlaceSelection.java =================================================================== --- trunk/src/org/openstreetmap/josm/gui/download/PlaceSelection.java (revision 8286) +++ trunk/src/org/openstreetmap/josm/gui/download/PlaceSelection.java (revision 8287) @@ -46,5 +46,4 @@ import javax.swing.table.TableCellRenderer; import javax.swing.table.TableColumn; -import javax.xml.parsers.SAXParserFactory; import org.openstreetmap.josm.Main; @@ -380,5 +379,5 @@ InputSource inputSource = new InputSource(reader); NameFinderResultParser parser = new NameFinderResultParser(); - SAXParserFactory.newInstance().newSAXParser().parse(inputSource, parser); + Utils.newSafeSAXParser().parse(inputSource, parser); this.data = parser.getResult(); } Index: trunk/src/org/openstreetmap/josm/io/Capabilities.java =================================================================== --- trunk/src/org/openstreetmap/josm/io/Capabilities.java (revision 8286) +++ trunk/src/org/openstreetmap/josm/io/Capabilities.java (revision 8287) @@ -12,7 +12,7 @@ import javax.xml.parsers.ParserConfigurationException; -import javax.xml.parsers.SAXParserFactory; import org.openstreetmap.josm.Main; +import org.openstreetmap.josm.tools.Utils; import org.xml.sax.Attributes; import org.xml.sax.InputSource; @@ -272,5 +272,5 @@ public static Capabilities parse(InputSource inputSource) throws SAXException, IOException, ParserConfigurationException { CapabilitiesParser parser = new CapabilitiesParser(); - SAXParserFactory.newInstance().newSAXParser().parse(inputSource, parser); + Utils.newSafeSAXParser().parse(inputSource, parser); return parser.getCapabilities(); } Index: trunk/src/org/openstreetmap/josm/io/DiffResultProcessor.java =================================================================== --- trunk/src/org/openstreetmap/josm/io/DiffResultProcessor.java (revision 8286) +++ trunk/src/org/openstreetmap/josm/io/DiffResultProcessor.java (revision 8287) @@ -14,5 +14,4 @@ import javax.xml.parsers.ParserConfigurationException; -import javax.xml.parsers.SAXParserFactory; import org.openstreetmap.josm.data.osm.Changeset; @@ -25,4 +24,5 @@ import org.openstreetmap.josm.gui.progress.ProgressMonitor; import org.openstreetmap.josm.tools.CheckParameterUtil; +import org.openstreetmap.josm.tools.Utils; import org.openstreetmap.josm.tools.XmlParsingException; import org.xml.sax.Attributes; @@ -84,5 +84,5 @@ progressMonitor.beginTask(tr("Parsing response from server...")); InputSource inputSource = new InputSource(new StringReader(diffUploadResponse)); - SAXParserFactory.newInstance().newSAXParser().parse(inputSource, new Parser()); + Utils.newSafeSAXParser().parse(inputSource, new Parser()); } catch(XmlParsingException e) { throw e; Index: trunk/src/org/openstreetmap/josm/io/GpxReader.java =================================================================== --- trunk/src/org/openstreetmap/josm/io/GpxReader.java (revision 8286) +++ trunk/src/org/openstreetmap/josm/io/GpxReader.java (revision 8287) @@ -18,5 +18,4 @@ import javax.xml.parsers.ParserConfigurationException; -import javax.xml.parsers.SAXParserFactory; import org.openstreetmap.josm.Main; @@ -30,4 +29,5 @@ import org.openstreetmap.josm.data.gpx.ImmutableGpxTrack; import org.openstreetmap.josm.data.gpx.WayPoint; +import org.openstreetmap.josm.tools.Utils; import org.xml.sax.Attributes; import org.xml.sax.InputSource; @@ -542,7 +542,5 @@ Parser parser = new Parser(); try { - SAXParserFactory factory = SAXParserFactory.newInstance(); - factory.setNamespaceAware(true); - factory.newSAXParser().parse(inputSource, parser); + Utils.newSafeSAXParser().parse(inputSource, parser); return true; } catch (SAXException e) { Index: trunk/src/org/openstreetmap/josm/io/NoteReader.java =================================================================== --- trunk/src/org/openstreetmap/josm/io/NoteReader.java (revision 8286) +++ trunk/src/org/openstreetmap/josm/io/NoteReader.java (revision 8287) @@ -11,5 +11,4 @@ import javax.xml.parsers.ParserConfigurationException; -import javax.xml.parsers.SAXParserFactory; import org.openstreetmap.josm.Main; @@ -19,4 +18,5 @@ import org.openstreetmap.josm.data.notes.NoteComment.Action; import org.openstreetmap.josm.data.osm.User; +import org.openstreetmap.josm.tools.Utils; import org.openstreetmap.josm.tools.date.DateUtils; import org.xml.sax.Attributes; @@ -222,7 +222,5 @@ DefaultHandler parser = new Parser(); try { - SAXParserFactory factory = SAXParserFactory.newInstance(); - factory.setNamespaceAware(true); - factory.newSAXParser().parse(inputSource, parser); + Utils.newSafeSAXParser().parse(inputSource, parser); } catch (ParserConfigurationException e) { Main.error(e); // broken SAXException chaining Index: trunk/src/org/openstreetmap/josm/io/OsmChangesetContentParser.java =================================================================== --- trunk/src/org/openstreetmap/josm/io/OsmChangesetContentParser.java (revision 8286) +++ trunk/src/org/openstreetmap/josm/io/OsmChangesetContentParser.java (revision 8287) @@ -11,5 +11,4 @@ import javax.xml.parsers.ParserConfigurationException; -import javax.xml.parsers.SAXParserFactory; import org.openstreetmap.josm.Main; @@ -19,4 +18,5 @@ import org.openstreetmap.josm.gui.progress.ProgressMonitor; import org.openstreetmap.josm.tools.CheckParameterUtil; +import org.openstreetmap.josm.tools.Utils; import org.openstreetmap.josm.tools.XmlParsingException; import org.xml.sax.Attributes; @@ -150,5 +150,5 @@ progressMonitor.beginTask(""); progressMonitor.indeterminateSubTask(tr("Parsing changeset content ...")); - SAXParserFactory.newInstance().newSAXParser().parse(source, new Parser()); + Utils.newSafeSAXParser().parse(source, new Parser()); } catch(XmlParsingException e) { throw e; Index: trunk/src/org/openstreetmap/josm/io/OsmChangesetParser.java =================================================================== --- trunk/src/org/openstreetmap/josm/io/OsmChangesetParser.java (revision 8286) +++ trunk/src/org/openstreetmap/josm/io/OsmChangesetParser.java (revision 8287) @@ -13,5 +13,4 @@ import javax.xml.parsers.ParserConfigurationException; -import javax.xml.parsers.SAXParserFactory; import org.openstreetmap.josm.data.coor.LatLon; @@ -20,4 +19,5 @@ import org.openstreetmap.josm.data.osm.User; import org.openstreetmap.josm.gui.progress.ProgressMonitor; +import org.openstreetmap.josm.tools.Utils; import org.openstreetmap.josm.tools.XmlParsingException; import org.openstreetmap.josm.tools.date.DateUtils; @@ -278,5 +278,5 @@ progressMonitor.indeterminateSubTask(tr("Parsing list of changesets...")); InputSource inputSource = new InputSource(new InvalidXmlCharacterFilter(new InputStreamReader(source, StandardCharsets.UTF_8))); - SAXParserFactory.newInstance().newSAXParser().parse(inputSource, parser.new Parser()); + Utils.newSafeSAXParser().parse(inputSource, parser.new Parser()); return parser.getChangesets(); } catch(ParserConfigurationException | SAXException e) { Index: trunk/src/org/openstreetmap/josm/io/OsmHistoryReader.java =================================================================== --- trunk/src/org/openstreetmap/josm/io/OsmHistoryReader.java (revision 8286) +++ trunk/src/org/openstreetmap/josm/io/OsmHistoryReader.java (revision 8287) @@ -10,5 +10,4 @@ import javax.xml.parsers.ParserConfigurationException; -import javax.xml.parsers.SAXParserFactory; import org.openstreetmap.josm.Main; @@ -18,4 +17,5 @@ import org.openstreetmap.josm.gui.progress.ProgressMonitor; import org.openstreetmap.josm.tools.CheckParameterUtil; +import org.openstreetmap.josm.tools.Utils; import org.xml.sax.Attributes; import org.xml.sax.InputSource; @@ -86,5 +86,5 @@ progressMonitor.beginTask(tr("Parsing OSM history data ...")); try { - SAXParserFactory.newInstance().newSAXParser().parse(inputSource, new Parser()); + Utils.newSafeSAXParser().parse(inputSource, new Parser()); } catch (ParserConfigurationException e) { Main.error(e); // broken SAXException chaining Index: trunk/src/org/openstreetmap/josm/io/imagery/ImageryReader.java =================================================================== --- trunk/src/org/openstreetmap/josm/io/imagery/ImageryReader.java (revision 8286) +++ trunk/src/org/openstreetmap/josm/io/imagery/ImageryReader.java (revision 8287) @@ -11,5 +11,4 @@ import javax.xml.parsers.ParserConfigurationException; -import javax.xml.parsers.SAXParserFactory; import org.openstreetmap.josm.Main; @@ -21,4 +20,5 @@ import org.openstreetmap.josm.io.UTFInputStreamReader; import org.openstreetmap.josm.tools.LanguageInfo; +import org.openstreetmap.josm.tools.Utils; import org.xml.sax.Attributes; import org.xml.sax.InputSource; @@ -49,6 +49,4 @@ Parser parser = new Parser(); try { - SAXParserFactory factory = SAXParserFactory.newInstance(); - factory.setNamespaceAware(true); try (InputStream in = new CachedFile(source) .setMaxAge(1*CachedFile.DAYS) @@ -56,5 +54,5 @@ .getInputStream()) { InputSource is = new InputSource(UTFInputStreamReader.create(in)); - factory.newSAXParser().parse(is, parser); + Utils.newSafeSAXParser().parse(is, parser); return parser.entries; } Index: trunk/src/org/openstreetmap/josm/tools/Utils.java =================================================================== --- trunk/src/org/openstreetmap/josm/tools/Utils.java (revision 8286) +++ trunk/src/org/openstreetmap/josm/tools/Utils.java (revision 8287) @@ -50,7 +50,13 @@ import java.util.zip.ZipInputStream; +import javax.xml.XMLConstants; +import javax.xml.parsers.ParserConfigurationException; +import javax.xml.parsers.SAXParser; +import javax.xml.parsers.SAXParserFactory; + import org.apache.commons.compress.compressors.bzip2.BZip2CompressorInputStream; import org.openstreetmap.josm.Main; import org.openstreetmap.josm.data.Version; +import org.xml.sax.SAXException; /** @@ -1164,3 +1170,17 @@ return null; } + + /** + * Returns a new secure SAX parser, supporting XML namespaces. + * @return a new secure SAX parser, supporting XML namespaces + * @throws ParserConfigurationException if a parser cannot be created which satisfies the requested configuration. + * @throws SAXException for SAX errors. + * @since 8287 + */ + public static SAXParser newSafeSAXParser() throws ParserConfigurationException, SAXException { + SAXParserFactory parserFactory = SAXParserFactory.newInstance(); + parserFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + parserFactory.setNamespaceAware(true); + return parserFactory.newSAXParser(); + } } Index: trunk/src/org/openstreetmap/josm/tools/XmlObjectParser.java =================================================================== --- trunk/src/org/openstreetmap/josm/tools/XmlObjectParser.java (revision 8286) +++ trunk/src/org/openstreetmap/josm/tools/XmlObjectParser.java (revision 8287) @@ -20,6 +20,4 @@ import javax.xml.XMLConstants; import javax.xml.parsers.ParserConfigurationException; -import javax.xml.parsers.SAXParser; -import javax.xml.parsers.SAXParserFactory; import javax.xml.transform.stream.StreamSource; import javax.xml.validation.Schema; @@ -250,8 +248,5 @@ private Iterable start(final Reader in, final ContentHandler contentHandler) throws SAXException, IOException { try { - SAXParserFactory parserFactory = SAXParserFactory.newInstance(); - parserFactory.setNamespaceAware(true); - SAXParser saxParser = parserFactory.newSAXParser(); - XMLReader reader = saxParser.getXMLReader(); + XMLReader reader = Utils.newSafeSAXParser().getXMLReader(); reader.setContentHandler(contentHandler); try {