Package de.businesscode.util.xml

Class SecureXmlFactory

  • public abstract class SecureXmlFactory
extends java.lang.Object
    Factory methods preventing XXE attacks, according to OWASP Cheat Sheet

    • Method Summary

      All Methods Static Methods Concrete Methods 
      Modifier and Type Method Description
      static javax.xml.parsers.DocumentBuilderFactory newDocumentBuilderFactory()  
      static javax.xml.parsers.SAXParserFactory newSaxParserFactory()  
      static javax.xml.transform.sax.SAXTransformerFactory newSaxTransformerFactory()  
      static javax.xml.transform.TransformerFactory newTransformerFactory()  
      static javax.xml.stream.XMLInputFactory newXMLInputFactory()
      Create an XMLInputFactory which is save against injection attacks If you need XInclude, enable it explicitly after retrieving this
      static org.xml.sax.XMLReader newXmlReader()  

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Constructor Detail

      • SecureXmlFactory

        public SecureXmlFactory()

    • Method Detail

      • newXMLInputFactory

        public static javax.xml.stream.XMLInputFactory newXMLInputFactory()
        Create an XMLInputFactory which is save against injection attacks If you need XInclude, enable it explicitly after retrieving this
        Returns:

      • newDocumentBuilderFactory

        public static javax.xml.parsers.DocumentBuilderFactory newDocumentBuilderFactory()
        Returns:
        DocumentBuilderFactory with following options set
        • XInclude: disabled
        • Validation: disabled
        • DTD: disabled
        • External Entities (general+params): disabled
        • Ignoring comments: true

      • newSaxParserFactory

        public static javax.xml.parsers.SAXParserFactory newSaxParserFactory()
        Returns:
        SAXParserFactory with following options set
        • XInclude: disabled
        • Validation: disabled
        • DTD: disabled
        • External Entities (general+params): disabled

      • newTransformerFactory

        public static javax.xml.transform.TransformerFactory newTransformerFactory()
        Returns:
        TransformerFactory with following options set
        • External DTD: disabled
        • External Stylesheet: disabled

      • newSaxTransformerFactory

        public static javax.xml.transform.sax.SAXTransformerFactory newSaxTransformerFactory()
        Returns:
        SAXTransformerFactory with following options set
        • External DTD: disabled
        • External Stylesheet: disabled

      • newXmlReader

        public static org.xml.sax.XMLReader newXmlReader()
        Returns:
        XMLReader with following options set
        • XInclude: disabled
        • Validation: disabled
        • DTD: disabled
        • External Entities (general+params): disabled