Disable entity-related security features in CommonUtil.createSAXParser

#1986
eclipse-birt · Nov 27, 2024 · 4870b72 · 4870b72
1 parent 8099b94
commit 4870b72
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/core/org.eclipse.birt.core/src/org/eclipse/birt/core/util/CommonUtil.java b/core/org.eclipse.birt.core/src/org/eclipse/birt/core/util/CommonUtil.java
@@ -38,6 +38,9 @@ public static SAXParser createSAXParser() throws ParserConfigurationException, S
 		SAXParserFactory factory = SAXParserFactory.newInstance();
 		// Disable XML External Entity to avoid hack
 		factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); //$NON-NLS-1$
+		factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); //$NON-NLS-1$
+		factory.setFeature("http://xml.org/sax/features/external-general-entities", false); //$NON-NLS-1$
+		factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); //$NON-NLS-1$
 		SAXParser parser = factory.newSAXParser();
 
 		return parser;