From 1707bf3d898a8ada3b213acb0e3b38f16eaae73d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Filip=20Jirs=C3=A1k?= <filip@jirsak.org> Date: Sat, 11 Apr 2020 19:27:36 +0200 Subject: [PATCH] #28 Disable downloading external resources with DocumentHelper.parseText() helper. (cherry picked from commit 8f6a7f6001d679176c1079ac65871d4e493360db) Author: Utkarsh Gupta <utkarsh@debian.org> --- a/src/main/java/org/dom4j/DocumentHelper.java +++ b/src/main/java/org/dom4j/DocumentHelper.java @@ -18,6 +18,7 @@ import org.jaxen.VariableContext; import org.xml.sax.InputSource; +import org.xml.sax.SAXException; /** * <code>DocumentHelper</code> is a collection of helper methods for using @@ -270,6 +271,14 @@ */ public static Document parseText(String text) throws DocumentException { SAXReader reader = new SAXReader(); + try { + reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); + reader.setFeature("http://xml.org/sax/features/external-general-entities", false); + reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + } catch (SAXException e) { + //Parse with external resources downloading allowed. + } + String encoding = getEncoding(text); InputSource source = new InputSource(new StringReader(text));