From b9dbd4eed6cb0615a883de2e871e849fb32f1258 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Tue, 1 Apr 2014 13:34:52 +0200
Subject: update Axis to axis-1.0_IAIK_1.1.jar   - solve problems with possible
 XML External Entity (XXE) attacks   - DocType Declarations are not allowed in
 axis-1.0_IAIK_1.1.jar

---
 common/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'common/src/main/java/at/gv/egovernment/moa')

diff --git a/common/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java b/common/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java
index 102d3a31f..2b816ed4c 100644
--- a/common/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java
+++ b/common/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java
@@ -115,6 +115,8 @@ public class DOMUtils {
   private static final String EXTERNAL_PARAMETER_ENTITIES_FEATURE =
 	  "http://xml.org/sax/features/external-parameter-entities";
   
+  private static final String DISALLOW_DOCTYPE_FEATURE =
+		  "http://apache.org/xml/features/disallow-doctype-decl";
   
   
   
@@ -514,6 +516,9 @@ public class DOMUtils {
     parser.setFeature(NAMESPACES_FEATURE, true);
     parser.setFeature(VALIDATION_FEATURE, true);
     parser.setFeature(SCHEMA_VALIDATION_FEATURE, true);
+    parser.setFeature(EXTERNAL_GENERAL_ENTITIES_FEATURE, false);
+    parser.setFeature(DISALLOW_DOCTYPE_FEATURE, true);
+    
     
     if (externalSchemaLocations != null) {
       parser.setProperty(
-- 
cgit v1.2.3