Hi,
are there any plans to make the entity expansion limit setting a bit
more friendlier? Currently the default limits in Xerces are a bit too
permissive (100k entity expansion limit vs JDK's 64k), and they are also
a bit difficult to enforce:
SecurityManager securityManager = new SecurityManager();
securityManager.setEntityExpansionLimit(5000);
dbf.setAttribute("http://apache.org/xml/properties/security-manager";,
securityManager);
sp.setProperty("http://apache.org/xml/properties/security-manager";,
securityManager);
Which means that my utility library for XML parsing needs to explicitly
depend on XercesImpl, or I need to trick around with reflection.
I think the most unfortunate is that SecurityManager does not appear to
be part of the JAXP API, and hence I'm not able to use Xerces'
SecurityManager with JDK or the other way around. Would it be possible
to implement the limits as attributes/properties/or even JVM properties
as well (I suppose for a while that could still result in failures until
both parsers support the same set of attributes/properties/features)?
On a different note, I think I probably misunderstood the purpose of
setExpandEntityRefs(false) method on DocumentBuilderFactories. Whilst
testing against the billion laughs attack, it looked like that
setExpandEntityRefs didn't have any affect, and the entities were
expanded in my XML document since I saw the error message about hitting
the 100k entity expansion limit. Is this expected behavior?
Also I couldn't really find a similar option for SAX parsers, am I meant
to use a lexical-handler there to prevent entity expansion?
Thanks in advance,
Peter
---------------------------------------------------------------------
To unsubscribe, e-mail: j-users-unsubscr...@xerces.apache.org
For additional commands, e-mail: j-users-h...@xerces.apache.org
