Package com.prowidesoftware.swift.utils

Class SafeXmlUtils

  • public class SafeXmlUtils
extends java.lang.Object
    This class is uses in many places in the library to create XML parsers and transformers, to switch off certain features that may be vulnerable to XXE attacks.

    The features are implementation dependent, thus they might not be present in certain implementations of the XML apis. We have experience issues with many xerces and xalan versions. So when faced with an error because a feature is not present in your environment, the first choice should be to review the xml related dependencies, and to try to those that do not support the feature.

    When the dependencies cannot be changed, you can ignore the error by adding a pw-swift-core.properties file in the application classpath with a safeXmlUtils.ignore=featureName,featureName,featureName property. This will prevent the indicated features to be applied.

    Since:
    8.0.5

    • Method Summary

      All Methods Static Methods Concrete Methods 
      Modifier and Type Method Description
      static javax.xml.parsers.DocumentBuilder documentBuilder()
      Safe DOM parsing, with default parameters
      static javax.xml.parsers.DocumentBuilder documentBuilder​(boolean namespaceAware)
      Safe DOM parsing
      static javax.xml.stream.XMLInputFactory inputFactory()
      Safe StAX parser
      static org.xml.sax.XMLReader reader()
      Safe SAX parser, with default parameters
      static org.xml.sax.XMLReader reader​(boolean namespaceAware, javax.xml.validation.Schema schema)
      Safe SAX parser
      static javax.xml.validation.SchemaFactory schemaFactory()
      Safe schema factory
      static javax.xml.transform.Transformer transformer()
      Safe transformer
      static javax.xml.validation.Validator validator​(javax.xml.validation.Schema schema)
      Safe schema validator

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Method Detail

      • documentBuilder

        public static javax.xml.parsers.DocumentBuilder documentBuilder()
        Safe DOM parsing, with default parameters
        Throws:
        ProwideException - if the parser cannot be configured
        See Also:
        documentBuilder(boolean)

      • documentBuilder

        public static javax.xml.parsers.DocumentBuilder documentBuilder​(boolean namespaceAware)
        Safe DOM parsing
        Parameters:
        namespaceAware - factory awareness
        Throws:
        ProwideException - if the parser cannot be configured

      • reader

        public static org.xml.sax.XMLReader reader​(boolean namespaceAware,
                                           javax.xml.validation.Schema schema)
                                    throws ProwideException
        Safe SAX parser
        Parameters:
        namespaceAware - SAX factory awareness
        schema - optional schema if the reader will be used for validaiton, null to ignore
        Throws:
        ProwideException - if the parser cannot be configured

      • inputFactory

        public static javax.xml.stream.XMLInputFactory inputFactory()
        Safe StAX parser
        Throws:
        ProwideException - if the parser cannot be configured

      • transformer

        public static javax.xml.transform.Transformer transformer()
        Safe transformer

      • schemaFactory

        public static javax.xml.validation.SchemaFactory schemaFactory()
        Safe schema factory

      • validator

        public static javax.xml.validation.Validator validator​(javax.xml.validation.Schema schema)
        Safe schema validator