• Home
• org.xwiki.commons
• xwiki-commons-xml
• 16.10.2
• source code
• LocalEntityResolverComponent.java

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

org.xwiki.xml.internal.LocalEntityResolverComponent Maven / Gradle / Ivy

/*
 * See the NOTICE file distributed with this work for additional
 * information regarding copyright ownership.
 *
 * This is free software; you can redistribute it and/or modify it
 * under the terms of the GNU Lesser General Public License as
 * published by the Free Software Foundation; either version 2.1 of
 * the License, or (at your option) any later version.
 *
 * This software is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this software; if not, write to the Free
 * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
 * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
 */
/*
 This class was copied from https://github.com/css4j/xml-dtd
 See https://github.com/css4j/xml-dtd/issues/7 for the reason why we copied it instead of having a dependency on it.

 Copyright (c) 1998-2022, Carlos Amengual.
 Originally Licensed under a BSD-style License but relicensed under LGPL for XWiki by Carlos Amengual.
 You can find the original license here:
 https://css4j.github.io/LICENSE.txt
 */
package org.xwiki.xml.internal;

import javax.inject.Singleton;

import org.xwiki.component.annotation.Component;
import org.xwiki.xml.EntityResolver;

/**
 * Implements EntityResolver2.
 * 

 * Has common W3C DTDs/entities built-in and loads others via the supplied
 * SYSTEM URL, provided that certain conditions are met:
 * 
 * 

 * 
URL protocol is http/https.
 * 
Either the mime type is valid for a DTD or entity, or the filename ends
 * with .dtd, .ent or .mod.
 * 
The whitelist is either disabled (no host added to it) or contains the
 * host from the URL.
 * 
 * 

 * If the whitelist was enabled (e.g. default constructor), any attempt to
 * download data from a remote URL not present in the whitelist is going to
 * produce an exception. You can use that to determine whether your documents
 * are referencing a DTD resource that is not bundled with this resolver.
 * 
 * 

 * If the constructor with a false argument was used, the whitelist
 * can still be enabled by adding a hostname via
 * {@link #addHostToWhiteList(String)}.
 * 
 * 

 * Although this resolver should protect you from most information leaks (see
 * SSRF
 * attacks) and also from jar:
 * decompression bombs, DoS
 * attacks based on entity expansion/recursion like the
 * 'billion laughs
 * attack' may still be possible and should be prevented at the XML parser.
 * Be sure to use a properly configured, recent version of your parser.
 * 
 *
 * @version $Id: c3e35a33ddc05212ab83b1ed28bc781888c50e89 $
 */
@Component
@Singleton
public class LocalEntityResolverComponent extends LocalEntityResolver implements EntityResolver
{
    /**
     * Construct a resolver with the whitelist enabled.
     */
    public LocalEntityResolverComponent()
    {
        super(true);
    }
}