From e46e9a87913413b6948591e7429d2f40b51cfe58 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <thomas.lenz@egiz.gv.at>
Date: Tue, 7 Mar 2017 11:02:55 +0100
Subject: set XML parser properties to SL request unmarshaller

---
 utils/src/main/java/at/gv/egiz/slbinding/SLUnmarshaller.java | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'utils/src/main')

diff --git a/utils/src/main/java/at/gv/egiz/slbinding/SLUnmarshaller.java b/utils/src/main/java/at/gv/egiz/slbinding/SLUnmarshaller.java
index 90e08401..70f5dce1 100644
--- a/utils/src/main/java/at/gv/egiz/slbinding/SLUnmarshaller.java
+++ b/utils/src/main/java/at/gv/egiz/slbinding/SLUnmarshaller.java
@@ -238,6 +238,11 @@ public Object unmarshal(StreamSource source) throws XMLStreamException, JAXBExce
     
     ReportingValidationEventHandler validationEventHandler = new ReportingValidationEventHandler();
     XMLInputFactory inputFactory = XMLInputFactory.newInstance();
+    
+    //disallow DTD and external entities
+    inputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
+    inputFactory.setProperty("javax.xml.stream.isSupportingExternalEntities", false);
+    
     XMLEventReader eventReader = inputFactory.createXMLEventReader(source.getReader());
     RedirectEventFilter redirectEventFilter = new RedirectEventFilter();
     XMLEventReader filteredReader = inputFactory.createFilteredReader(eventReader, redirectEventFilter);
-- 
cgit v1.2.3