Skip to content

Commit

Permalink
Merge pull request #177 from shado23/safe-defaults
Browse files Browse the repository at this point in the history
  • Loading branch information
@SethTisue
SethTisue authored Mar 4, 2021
2 parents 43dc3ef + 0ba347b commit 97fabfb
Showing 1 changed file with 7 additions and 1 deletion.
8 changes: 7 additions & 1 deletion shared/src/main/scala/scala/xml/factory/XMLLoader.scala
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,13 @@ trait XMLLoader[T <: Node] {
private lazy val parserInstance = new ThreadLocal[SAXParser] {
override def initialValue = {
val parser = SAXParserFactory.newInstance()

parser.setFeature("http://javax.xml.XMLConstants/feature/secure-processing", true)
parser.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false)
parser.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)
parser.setFeature("http://xml.org/sax/features/external-parameter-entities", false)
parser.setFeature("http://xml.org/sax/features/external-general-entities", false)
parser.setFeature("http://xml.org/sax/features/resolve-dtd-uris", false)
parser.setXIncludeAware(false)
parser.setNamespaceAware(false)
parser.newSAXParser()
}
Expand Down

0 comments on commit 97fabfb

Please sign in to comment.