snichol     2002/10/29 18:43:04

  Modified:    java/src/org/apache/soap/util/xml XMLParserUtils.java
  Log:
  By default, turn off expansion of entity references.
  
  cf. bugtraq post on 10/29/2002 by Gregory Steuck <[EMAIL PROTECTED]>
  (http://online.securityfocus.com/archive/1/297714/2002-10-27/2002-11-02/0)
  
  Revision  Changes    Path
  1.7       +35 -1     xml-soap/java/src/org/apache/soap/util/xml/XMLParserUtils.java
  
  Index: XMLParserUtils.java
  ===================================================================
  RCS file: /home/cvs/xml-soap/java/src/org/apache/soap/util/xml/XMLParserUtils.java,v
  retrieving revision 1.6
  retrieving revision 1.7
  diff -u -r1.6 -r1.7
  --- XMLParserUtils.java       28 Oct 2002 16:37:02 -0000      1.6
  +++ XMLParserUtils.java       30 Oct 2002 02:43:04 -0000      1.7
  @@ -77,7 +77,7 @@
   
     static {
       // Create a default instance.
  -    refreshDocumentBuilderFactory(null, true, false);
  +    refreshDocumentBuilderFactory(null, true, false, false);
     }
   
     /**
  @@ -104,6 +104,39 @@
                                               String factoryClassName,
                                               boolean namespaceAware,
                                               boolean validating) {
  +    refreshDocumentBuilderFactory(factoryClassName,
  +                                  namespaceAware,
  +                                  validating,
  +                                  validating);
  +  }
  +
  +  /**
  +   * Causes the private DocumentBuilderFactory reference to point
  +   * to a new instance of a DocumentBuilderFactory. This method
  +   * only needs to be called if you want to specify a different
  +   * DocumentBuilderFactory implementation then that specified
  +   * prior to this class being initialized. Or, if you want to
  +   * specify different configuration options.
  +   *
  +   * @param factoryClassName the fully-qualified name of a class
  +   * that implemements DocumentBuilderFactory. If this argument
  +   * is null, the default (platform-specific) implementation is
  +   * used. Basically, if this argument is not null, the 
  +   * javax.xml.parsers.DocumentBuilderFactory system property
  +   * is set (with the specified value) before the
  +   * DocumentBuilderFactory.newInstance() method is invoked.
  +   * @param namespaceAware configure the new DocumentBuilderFactory
  +   * to produce namespace aware parsers (i.e. DocumentBuilders)
  +   * @param validating configure the new DocumentBuilderFactory to
  +   * produce validating parsers (i.e. DocumentBuilders)
  +   * @param expandEntityReferences configure the new DocumentBuilderFactory
  +   * to produce parsers that expand entity references
  +   */
  +  synchronized public static void refreshDocumentBuilderFactory(
  +                                            String factoryClassName,
  +                                            boolean namespaceAware,
  +                                            boolean validating,
  +                                            boolean expandEntityReferences) {
       if (factoryClassName != null) {
         System.setProperty("javax.xml.parsers.DocumentBuilderFactory",
                            factoryClassName);
  @@ -115,6 +148,7 @@
       // Optional: set various configuration options
       dbf.setNamespaceAware(namespaceAware);
       dbf.setValidating(validating);
  +    dbf.setExpandEntityReferences(expandEntityReferences);
   
       /*
         At this point the DocumentBuilderFactory instance can be saved
  
  
  

--
To unsubscribe, e-mail:   <mailto:soap-dev-unsubscribe@;xml.apache.org>
For additional commands, e-mail: <mailto:soap-dev-help@;xml.apache.org>

Reply via email to