com.helger.xml.EXMLParserFeature Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of ph-xml Show documentation
Show all versions of ph-xml Show documentation
Java 1.8+ Library with XML handling routines
/*
* Copyright (C) 2014-2024 Philip Helger (www.helger.com)
* philip[at]helger[dot]com
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package com.helger.xml;
import java.util.Map;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.xpath.XPathFactory;
import javax.xml.xpath.XPathFactoryConfigurationException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xml.sax.SAXNotRecognizedException;
import org.xml.sax.SAXNotSupportedException;
import com.helger.commons.ValueEnforcer;
import com.helger.commons.annotation.CodingStyleguideUnaware;
import com.helger.commons.annotation.Nonempty;
import com.helger.commons.annotation.ReturnsMutableCopy;
import com.helger.commons.collection.ArrayHelper;
import com.helger.commons.collection.CollectionHelper;
import com.helger.commons.collection.impl.ICommonsList;
import com.helger.commons.lang.EnumHelper;
import com.helger.commons.name.IHasName;
/**
* Contains constants for parser features.
* Source: http://xerces.apache.org/xerces2-j/features.html
*
* @author Philip Helger
*/
public enum EXMLParserFeature implements IHasName
{
/**
* When true: instructs the implementation to process XML securely. This may
* set limits on XML constructs to avoid conditions such as denial of service
* attacks.
* When false: instructs the implementation to process XML according the
* letter of the XML specifications ignoring security issues such as limits on
* XML constructs to avoid conditions such as denial of service attacks.
* Default: false
* ({@link XMLConstants#FEATURE_SECURE_PROCESSING})
*/
SECURE_PROCESSING (EXMLParserFeatureType.GENERAL, XMLConstants.FEATURE_SECURE_PROCESSING),
/**
* Restrict access to external DTDs and external Entity References to the
* protocols specified.If access is denied due to the restriction of this
* property, a runtime exception that is specific to the context is thrown. In
* the case of javax.xml.parsers.SAXParserfor example,
* org.xml.sax.SAXException is thrown.
* Value: a list of protocols separated by comma. A protocol is the scheme
* portion of a java.net.URI, or in the case of the JAR protocol, "jar" plus
* the scheme portion separated by colon.
* ({@link XMLConstants#ACCESS_EXTERNAL_DTD})
*
* @since 10.1.7
*/
ACCESS_EXTERNAL_DTD (EXMLParserFeatureType.GENERAL, XMLConstants.ACCESS_EXTERNAL_DTD),
/**
* Restrict access to the protocols specified for external reference set by
* theschemaLocation attribute, Import and Include element. If access is
* denied due to the restriction of this property, a runtime exception that is
* specific to the context is thrown. In the case of
* javax.xml.validation.SchemaFactoryfor example, org.xml.sax.SAXException is
* thrown.
* Value: a list of protocols separated by comma. A protocol is the scheme
* portion of a java.net.URI, or in the case of the JAR protocol, "jar" plus
* the scheme portion separated by colon.
* ({@link XMLConstants#ACCESS_EXTERNAL_SCHEMA})
*
* @since 10.1.7
*/
ACCESS_EXTERNAL_SCHEMA (EXMLParserFeatureType.GENERAL, XMLConstants.ACCESS_EXTERNAL_SCHEMA),
/**
* Restrict access to the protocols specified for external references set by
* the stylesheet processing instruction, Import and Include element, and
* document function.If access is denied due to the restriction of this
* property, a runtime exception that is specific to the context is thrown. In
* the case of constructing new javax.xml.transform.Transformer for example,
* javax.xml.transform.TransformerConfigurationExceptionwill be thrown by the
* javax.xml.transform.TransformerFactory.
* Value: a list of protocols separated by comma. A protocol is the scheme
* portion of a java.net.URI, or in the case of the JAR protocol, "jar" plus
* the scheme portion separated by colon
* ({@link XMLConstants#ACCESS_EXTERNAL_STYLESHEET})
*
* @since 10.1.7
*/
ACCESS_EXTERNAL_STYLESHEET (EXMLParserFeatureType.GENERAL, XMLConstants.ACCESS_EXTERNAL_STYLESHEET),
/**
* When true: Perform namespace processing: prefixes will be stripped off
* element and attribute names and replaced with the corresponding namespace
* URIs. By default, the two will simply be concatenated, but the
* namespace-sep core property allows the application to specify a delimiter
* string for separating the URI part and the local part.
* When false: Do not perform namespace processing.
* Default: true
* (http://xml.org/sax/features/namespaces)
*/
NAMESPACES (EXMLParserFeatureType.GENERAL, "http://xml.org/sax/features/namespaces"),
/**
* When true: The methods of the org.xml.sax.ext.EntityResolver2 interface
* will be used when an object implementing this interface is registered with
* the parser using setEntityResolver.
* When false: The methods of the org.xml.sax.ext.EntityResolver2 interface
* will not be used.
* Default: true
* (http://xml.org/sax/features/use-entity-resolver2)
*/
USE_ENTITY_RESOLVER2 (EXMLParserFeatureType.GENERAL, "http://xml.org/sax/features/use-entity-resolver2"),
/**
* When true: Validate the document and report validity errors.
* When false: Do not report validity errors.
* Default: false
* (http://xml.org/sax/features/validation) Default: false
*/
VALIDATION (EXMLParserFeatureType.GENERAL, "http://xml.org/sax/features/validation"),
/**
* When true: The parser will validate the document only if a grammar is
* specified.
* When false: Validation is determined by the state of the
* {@link #VALIDATION} feature.
* Default: false
* (http://apache.org/xml/features/validation/dynamic)
*/
DYNAMIC (EXMLParserFeatureType.GENERAL, "http://apache.org/xml/features/validation/dynamic"),
/**
* When true: Turn on XML Schema validation by inserting an XML Schema
* validator into the pipeline.
* When false: Do not report validation errors against XML Schema.
* Default: false
* (http://apache.org/xml/features/validation/schema) Default: false
*/
SCHEMA (EXMLParserFeatureType.GENERAL, "http://apache.org/xml/features/validation/schema"),
/**
* When true: Enable full schema grammar constraint checking, including
* checking which may be time-consuming or memory intensive. Currently, unique
* particle attribution constraint checking and particle derivation
* restriction checking are controlled by this option.
* When false: Disable full constraint checking.
* Default: false
* (http://apache.org/xml/features/validation/schema-full-checking)
*/
SCHEMA_FULL_CHECKING (EXMLParserFeatureType.GENERAL,
"http://apache.org/xml/features/validation/schema-full-checking"),
/**
* When true: Expose via SAX and DOM XML Schema normalized values for
* attributes and elements.
* When false: Expose the infoset values
* Default: true
* XML Schema normalized values will be exposed only if both {@link #SCHEMA}
* and {@link #VALIDATION} features are set to true.
* (http://apache.org/xml/features/validation/schema/normalized-value)
*/
NORMALIZED_VALUE (EXMLParserFeatureType.GENERAL, "http://apache.org/xml/features/validation/schema/normalized-value"),
/**
* When true: Send XML Schema element default values via characters()
* When false: Do not send XML Schema default values in XNI
* Default: true
* XML Schema normalized values will be exposed only if both {@link #SCHEMA}
* and {@link #VALIDATION} features are set to true.
* (http://apache.org/xml/features/validation/schema/element-default)
*/
ELEMENT_DEFAULT (EXMLParserFeatureType.GENERAL, "http://apache.org/xml/features/validation/schema/element-default"),
/**
* When true: Augment Post-Schema-Validation-Infoset.
* When false: Do not augment Post-Schema-Validation-Infoset.
* Default: true
* (http://apache.org/xml/features/validation/schema/augment-psvi)
*/
AUGMENT_PSVI (EXMLParserFeatureType.GENERAL, "http://apache.org/xml/features/validation/schema/augment-psvi"),
/**
* When true: xsi:type attributes will be ignored until a global element
* declaration has been found, at which point xsi:type attributes will be
* processed on the element for which the global element declaration was found
* as well as its descendants.
* When false: Do not ignore xsi:type attributes.
* Default: false
* (http://apache.org/xml/features/validation/schema
* /ignore-xsi-type-until-elemdecl)
*/
IGNORE_XSI_TYPE_UNTIL_ELEMDECL (EXMLParserFeatureType.GENERAL,
"http://apache.org/xml/features/validation/schema/ignore-xsi-type-until-elemdecl"),
/**
* When true: Enable generation of synthetic annotations. A synthetic
* annotation will be generated when a schema component has non-schema
* attributes but no child annotation.
* When false: Do not generate synthetic annotations.
* Default: false
* (http://apache.org/xml/features/generate-synthetic-annotations)
*/
GENERATE_SYNTHETIC_ANNOTATIONS (EXMLParserFeatureType.GENERAL,
"http://apache.org/xml/features/generate-synthetic-annotations"),
/**
* When true: Schema annotations will be laxly validated against available
* schema components.
* When false: Do not validate schema annotations.
* Default: false
* (http://apache.org/xml/features/validate-annotations)
*/
VALIDATE_ANNOTATIONS (EXMLParserFeatureType.GENERAL, "http://apache.org/xml/features/validate-annotations"),
/**
* When true: All schema location hints will be used to locate the components
* for a given target namespace.
* When false: Only the first schema location hint encountered by the
* processor will be used to locate the components for a given target
* namespace.
* Default: false
* (http://apache.org/xml/features/honour-all-schemaLocations)
*/
HONOUR_ALL_SCHEMA_LOCATIONS (EXMLParserFeatureType.GENERAL,
"http://apache.org/xml/features/honour-all-schemaLocations"),
/**
* When true: Include external general entities.
* When false: Do not include external general entities.
* Default: true
* Note: set to false to avoid XXE -
* https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing
*
* (http://xml.org/sax/features/external-general-entities)
*/
EXTERNAL_GENERAL_ENTITIES (EXMLParserFeatureType.GENERAL, "http://xml.org/sax/features/external-general-entities"),
/**
* When true: Include external parameter entities and the external DTD subset.
*
* When false: Do not include external parameter entities or the external DTD
* subset.
* Default: true
* Note: set to false to avoid XXE -
* https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing
*
* (http://xml.org/sax/features/external-parameter-entities)
*/
EXTERNAL_PARAMETER_ENTITIES (EXMLParserFeatureType.GENERAL,
"http://xml.org/sax/features/external-parameter-entities"),
/**
* When true: Construct an optimal representation for DTD content models to
* significantly reduce the likelihood a StackOverflowError will occur when
* large content models are processed.
* When false: Do not invest processing time to construct an optimal
* representation for DTD content models.
* Default: false
* (http://apache.org/xml/features/validation/balance-syntax-trees)
*/
BALANCE_SYNTAX_TREES (EXMLParserFeatureType.GENERAL,
"http://apache.org/xml/features/validation/balance-syntax-trees"),
/**
* When true: Enable checking of ID/IDREF constraints.
* When false: Disable checking of ID/IDREF constraints. Validation will not
* fail if there are non-unique ID values or dangling IDREF values in the
* document.
* Default: true
* (http://apache.org/xml/features/validation/id-idref-checking)
*/
ID_IDREF_CHECKING (EXMLParserFeatureType.GENERAL, "http://apache.org/xml/features/validation/id-idref-checking"),
/**
* When true: Enable identity constraint checking.
* When false: Disable identity constraint checking.
* Default: true
* (http://apache.org/xml/features/validation/identity-constraint-checking)
*/
IDENTITY_CONSTRAINT_CHECKING (EXMLParserFeatureType.GENERAL,
"http://apache.org/xml/features/validation/identity-constraint-checking"),
/**
* When true: Check that each value of type ENTITY matches the name of an
* unparsed entity declared in the DTD.
* When false: Do not check that each value of type ENTITY matches the name of
* an unparsed entity declared in the DTD.
* Default: true
* (http://apache.org/xml/features/validation/unparsed-entity-checking)
*/
UNPARSED_ENTITY_CHECKING (EXMLParserFeatureType.GENERAL,
"http://apache.org/xml/features/validation/unparsed-entity-checking"),
/**
* When true: Report a warning when a duplicate attribute is re-declared.
* When false: Do not report a warning when a duplicate attribute is
* re-declared.
* Default: false
* (http://apache.org/xml/features/validation/warn-on-duplicate-attdef)
*/
WARN_ON_DUPLICATE_ATTDEF (EXMLParserFeatureType.GENERAL,
"http://apache.org/xml/features/validation/warn-on-duplicate-attdef"),
/**
* When true: Report a warning if an element referenced in a content model is
* not declared.
* When false: Do not report a warning if an element referenced in a content
* model is not declared.
* Default: false
* (http://apache.org/xml/features/validation/warn-on-undeclared-elemdef)
*/
WARN_ON_UNDECLARED_ELEMDEF (EXMLParserFeatureType.GENERAL,
"http://apache.org/xml/features/validation/warn-on-undeclared-elemdef"),
/**
* When true: Report a warning for duplicate entity declaration.
* When false: Do not report warning for duplicate entity declaration.
* Default: false
* (http://apache.org/xml/features/warn-on-duplicate-entitydef)
*/
WARN_ON_DUPLICATE_ENTITYDEF (EXMLParserFeatureType.GENERAL,
"http://apache.org/xml/features/warn-on-duplicate-entitydef"),
/**
* When true: Allow Java encoding names in XMLDecl and TextDecl line.
* When false: Do not allow Java encoding names in XMLDecl and TextDecl line.
*
* Default: false
* (http://apache.org/xml/features/allow-java-encodings)
*/
ALLOW_JAVA_ENCODINGS (EXMLParserFeatureType.GENERAL, "http://apache.org/xml/features/allow-java-encodings"),
/**
* When true: Attempt to continue parsing after a fatal error.
* When false: Stops parse on first fatal error.
* Default: false
* (http://apache.org/xml/features/continue-after-fatal-error)
*/
CONTINUE_AFTER_FATAL_ERROR (EXMLParserFeatureType.GENERAL,
"http://apache.org/xml/features/continue-after-fatal-error"),
/**
* When true: Load the DTD and use it to add default attributes and set
* attribute types when parsing.
* When false: Build the grammar but do not use the default attributes and
* attribute types information it contains.
* Default: true
* (http://apache.org/xml/features/nonvalidating/load-dtd-grammar)
*/
LOAD_DTD_GRAMMAR (EXMLParserFeatureType.GENERAL, "http://apache.org/xml/features/nonvalidating/load-dtd-grammar"),
/**
* When true: Load the external DTD.
* When false: Ignore the external DTD completely.
* Default: true
* (http://apache.org/xml/features/nonvalidating/load-external-dtd)
*/
LOAD_EXTERNAL_DTD (EXMLParserFeatureType.GENERAL, "http://apache.org/xml/features/nonvalidating/load-external-dtd"),
/**
* When true: Notifies the handler of character reference boundaries in the
* document via the start/endEntity callbacks.
* When false: Does not notify of character reference boundaries.
* Default: false
* (http://apache.org/xml/features/scanner/notify-char-refs)
*/
NOTIFY_CHAR_REFS (EXMLParserFeatureType.GENERAL, "http://apache.org/xml/features/scanner/notify-char-refs"),
/**
* When true: Notifies the handler of built-in entity boundaries (e.g &)
* in the document via the start/endEntity callbacks.
* When false: Does not notify of built-in entity boundaries.
* Default: false
* (http://apache.org/xml/features/scanner/notify-builtin-refs)
*/
NOTIFY_BUILTIN_REFS (EXMLParserFeatureType.GENERAL, "http://apache.org/xml/features/scanner/notify-builtin-refs"),
/**
* When true: A fatal error is thrown if the incoming document contains a
* DOCTYPE declaration.
* When false: DOCTYPE declaration is allowed.
* Default: false
* Note: set to true to avoid XXE -
* https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing
*
* (http://apache.org/xml/features/disallow-doctype-decl)
*/
DISALLOW_DOCTYPE_DECL (EXMLParserFeatureType.GENERAL, "http://apache.org/xml/features/disallow-doctype-decl"),
/**
* When true: Requires that a URI has to be provided where a URI is expected.
*
* When false: Some invalid URI's are accepted as valid values when a URI is
* expected. Examples include: using platform dependent file separator in
* place of '/'; using Windows/DOS path names like "c:\blah" and
* "\\host\dir\blah"; using invalid URI characters (space, for example)
* Default: false
* (http://apache.org/xml/features/standard-uri-conformant)
*/
STANDARD_URI_CONFORMANT (EXMLParserFeatureType.GENERAL, "http://apache.org/xml/features/standard-uri-conformant"),
/**
* When true: Enable XInclude processing.
* When false: Do not perform XInclude processing.
* Default: false
* (http://apache.org/xml/features/xinclude)
*/
XINCLUDE (EXMLParserFeatureType.GENERAL, "http://apache.org/xml/features/xinclude"),
/**
* When true: Perform base URI fixup as specified by the XInclude
* Recommendation.
* When false: Do not perform base URI fixup. The XInclude processor will not
* add xml:base attributes.
* Default: true
* (http://apache.org/xml/features/xinclude/fixup-base-uris)
*/
XINCLUDE_FIXUP_BASE_URIS (EXMLParserFeatureType.XINCLUDE, "http://apache.org/xml/features/xinclude/fixup-base-uris"),
/**
* When true: Perform language fixup as specified by the XInclude
* Recommendation.
* When false: Do not perform language fixup. The XInclude processor will not
* add xml:lang attributes.
* Default: true
* (http://apache.org/xml/features/xinclude/fixup-language)
*/
XINCLUDE_FIXUP_LANGUAGE (EXMLParserFeatureType.XINCLUDE, "http://apache.org/xml/features/xinclude/fixup-language"),
/**
* When true: Lazily expand the DOM nodes.
* When false: Fully expand the DOM nodes.
* Default: true - In the LSParser implementation the default value of this
* feature is false.
* (http://apache.org/xml/features/dom/defer-node-expansion)
*/
DOM_DEFER_NODE_EXPANSION (EXMLParserFeatureType.DOM, "http://apache.org/xml/features/dom/defer-node-expansion"),
/**
* When true: Create EntityReference nodes in the DOM tree. The
* EntityReference nodes and their child nodes will be read-only.
* When false: Do not create EntityReference nodes in the DOM tree. No
* EntityReference nodes will be created, only the nodes corresponding to
* their fully expanded substitution text will be created.
* Default: true
* (http://apache.org/xml/features/dom/create-entity-ref-nodes)
*/
DOM_CREATE_ENTITY_REF_NODES (EXMLParserFeatureType.DOM, "http://apache.org/xml/features/dom/create-entity-ref-nodes"),
/**
* When true: Include text nodes that can be considered "ignorable whitespace"
* in the DOM tree.
* When false: Do not include ignorable whitespace in the DOM tree.
* Default: true
* (http://apache.org/xml/features/dom/include-ignorable-whitespace)
*/
DOM_INCLUDE_IGNORABLE_WHITESPACE (EXMLParserFeatureType.DOM,
"http://apache.org/xml/features/dom/include-ignorable-whitespace"),
/**
* When true: Report the original prefixed names and attributes used for
* namespace declarations.
* When false: Do not report attributes used for Namespace declarations, and
* optionally do not report original prefixed names.
* Default: false
* (http://xml.org/sax/features/namespace-prefixes)
*/
SAX_NAMESPACE_PREFIXES (EXMLParserFeatureType.SAX, "http://xml.org/sax/features/namespace-prefixes"),
/**
* When true: All element names, prefixes, attribute names, namespace URIs,
* and local names are internalized using the
* java.lang.String#intern(String):String method.
* When false: Names are not necessarily internalized.
* Default: true
* (http://xml.org/sax/features/string-interning)
*/
SAX_STRING_INTERNING (EXMLParserFeatureType.SAX, "http://xml.org/sax/features/string-interning"),
/**
* When true: Report the beginning and end of parameter entities to a
* registered LexicalHandler.
* When false: Do not report the beginning and end of parameter entities to a
* registered LexicalHandler.
* Default: true
* (http://xml.org/sax/features/lexical-handler/parameter-entities)
*/
SAX_PARAMETER_ENTITIES (EXMLParserFeatureType.SAX, "http://xml.org/sax/features/lexical-handler/parameter-entities"),
/**
* When true: The document specified standalone="yes" in its XML declaration.
*
* When false: The document specified standalone="no" in its XML declaration
* or the standalone document declaration was absent.
* Read-only!
* (http://xml.org/sax/features/is-standalone)
*/
SAX_FEATURE_IS_STANDALONE (EXMLParserFeatureType.SAX, "http://xml.org/sax/features/is-standalone"),
/**
* When true: The system identifiers passed to the notationDecl,
* unparsedEntityDecl, and externalEntityDecl events will be absolutized
* relative to their base URIs before reporting.
* When false: System identifiers in declarations will not be absolutized
* before reporting.
* Default: true
* (http://xml.org/sax/features/resolve-dtd-uris)
*/
SAX_RESOLVE_DTD_URIS (EXMLParserFeatureType.SAX, "http://xml.org/sax/features/resolve-dtd-uris"),
/**
* When true: Perform Unicode normalization checking (as described in section
* 2.13 and Appendix B of the XML 1.1 Recommendation) and report normalization
* errors.
* When false: Do not report Unicode normalization errors.
* Default: false
* (http://xml.org/sax/features/unicode-normalization-checking)
*/
SAX_UNICODE_NORMALIZATION_CHECKING (EXMLParserFeatureType.SAX,
"http://xml.org/sax/features/unicode-normalization-checking"),
/**
* When true: The Attributes objects passed by the parser in
* org.xml.sax.ContentHandler.startElement() implement the
* org.xml.sax.ext.Attributes2 interface.
* When false: The Attributes objects passed by the parser do not implement
* the org.xml.sax.ext.Attributes2 interface.
* Read-only!
* Xerces-J will always report Attributes objects that also implement
* org.xml.sax.ext.Attributes2 so the value of this feature will always be
* true.
* (http://xml.org/sax/features/use-attributes2)
*/
SAX_USE_ATTRIBUTES2 (EXMLParserFeatureType.SAX, "http://xml.org/sax/features/use-attributes2"),
/**
* When true: The Locator objects passed by the parser in
* org.xml.sax.ContentHandler.setDocumentLocator() implement the
* org.xml.sax.ext.Locator2 interface.
* When false: The Locator objects passed by the parser do not implement the
* org.xml.sax.ext.Locator2 interface.
* Read-only!
* Xerces-J will always report Locator objects that also implement
* org.xml.sax.ext.Locator2 so the value of this feature will always be true.
*
* (http://xml.org/sax/features/use-locator2)
*/
SAX_USE_LOCATOR2 (EXMLParserFeatureType.SAX, "http://xml.org/sax/features/use-locator2"),
/**
* When true: When the namespace-prefixes feature is set to true, namespace
* declaration attributes will be reported as being in the
* http://www.w3.org/2000/xmlns/ namespace.
* When false: Namespace declaration attributes are reported as having no
* namespace.
* Default: false
* (http://xml.org/sax/features/xmlns-uris)
*/
SAX_XMLNS_URIS (EXMLParserFeatureType.SAX, "http://xml.org/sax/features/xmlns-uris"),
/**
* When true: The parser supports both XML 1.0 and XML 1.1.
* When false: The parser supports only XML 1.0.
* Read-only!
* (http://xml.org/sax/features/xml-1.1)
*/
SAX_IS_XML11_PARSER (EXMLParserFeatureType.SAX, "http://xml.org/sax/features/xml-1.1");
/**
* This map contains all necessary settings to avoid XXE attacks.
*
* @deprecated because this is now enabled by default
*/
@CodingStyleguideUnaware
@Deprecated (forRemoval = true, since = "11.0.0")
public static final Map AVOID_XXE_SETTINGS = CollectionHelper.newMap (new EXMLParserFeature [] { DISALLOW_DOCTYPE_DECL,
EXTERNAL_GENERAL_ENTITIES,
EXTERNAL_PARAMETER_ENTITIES },
new Boolean [] { Boolean.TRUE,
Boolean.FALSE,
Boolean.FALSE })
.getAsUnmodifiable ();
/**
* This map contains all necessary settings to avoid entity expansion overflow
* attacks.
*
* @deprecated because this is now enabled by default
*/
@CodingStyleguideUnaware
@Deprecated (forRemoval = true, since = "11.0.0")
public static final Map AVOID_DOS_SETTINGS = CollectionHelper.newMap (new EXMLParserFeature [] { SECURE_PROCESSING },
new Boolean [] { Boolean.TRUE })
.getAsUnmodifiable ();
/**
* This map contains all necessary settings to avoid all known XML attacks. It
* includes {@link #AVOID_XXE_SETTINGS} and {@link #AVOID_DOS_SETTINGS}.
*
* @deprecated because this is now enabled by default
*/
@CodingStyleguideUnaware
@Deprecated (forRemoval = true, since = "11.0.0")
public static final Map AVOID_XML_ATTACKS = CollectionHelper.newMap (ArrayHelper.newArray (AVOID_XXE_SETTINGS,
AVOID_DOS_SETTINGS))
.getAsUnmodifiable ();
private static final Logger LOGGER = LoggerFactory.getLogger (EXMLParserFeature.class);
private final EXMLParserFeatureType m_eType;
private final String m_sName;
@CodingStyleguideUnaware
private boolean m_bWarnedOnce = false;
EXMLParserFeature (@Nonnull final EXMLParserFeatureType eType, @Nonnull @Nonempty final String sName)
{
m_eType = eType;
m_sName = sName;
}
@Nonnull
public EXMLParserFeatureType getFeatureType ()
{
return m_eType;
}
@Nonnull
@Nonempty
public String getName ()
{
return m_sName;
}
public void applyTo (@Nonnull final org.xml.sax.XMLReader aParser, final boolean bValue)
{
ValueEnforcer.notNull (aParser, "Parser");
if (m_eType != EXMLParserFeatureType.GENERAL && m_eType != EXMLParserFeatureType.SAX)
LOGGER.warn ("Parser feature '" + name () + "' is not applicable for SAX parsers!");
try
{
// This call is very slow as it might throw an XMLConfigurationException
// which internally calls Throwable.fillStackTrace which takes approx. 50%
// of the parsing time for small documents
aParser.setFeature (m_sName, bValue);
}
catch (final SAXNotRecognizedException ex)
{
if (!m_bWarnedOnce)
{
LOGGER.warn ("XML Parser does not recognize feature '" + name () + "'");
m_bWarnedOnce = true;
}
}
catch (final SAXNotSupportedException ex)
{
LOGGER.warn ("XML Parser does not support feature '" + name () + "'");
}
}
public void applyTo (@Nonnull final DocumentBuilderFactory aDocumentBuilderFactory, final boolean bValue)
{
ValueEnforcer.notNull (aDocumentBuilderFactory, "DocumentBuilderFactory");
if (m_eType != EXMLParserFeatureType.GENERAL && m_eType != EXMLParserFeatureType.DOM)
LOGGER.warn ("Parser feature '" + name () + "' is not applicable for DOM parsers!");
try
{
aDocumentBuilderFactory.setFeature (m_sName, bValue);
}
catch (final ParserConfigurationException ex)
{
LOGGER.warn ("DOM parser does not support feature '" + name () + "'");
}
}
public void applyTo (@Nonnull final XPathFactory aXPathFactory, final boolean bValue)
{
ValueEnforcer.notNull (aXPathFactory, "XPathFactory");
if (m_eType != EXMLParserFeatureType.GENERAL)
LOGGER.warn ("Parser feature '" + name () + "' is not applicable for XPathFactory!");
try
{
aXPathFactory.setFeature (m_sName, bValue);
}
catch (final XPathFactoryConfigurationException ex)
{
LOGGER.warn ("XPathFactory does not support feature '" + name () + "'");
}
}
@Nullable
public static EXMLParserFeature getFromNameOrNull (@Nullable final String sName)
{
return EnumHelper.getFromNameOrNull (EXMLParserFeature.class, sName);
}
@Nonnull
@ReturnsMutableCopy
public static ICommonsList getAllFeaturesOfType (@Nonnull final EXMLParserFeatureType eFeatureType)
{
ValueEnforcer.notNull (eFeatureType, "FeatureType");
return EnumHelper.getAll (EXMLParserFeature.class, x -> x.getFeatureType () == eFeatureType);
}
}