Package edu.hm.hafner.analysis

Class SecureXmlParserFactory

java.lang.Object

edu.hm.hafner.analysis.SecureXmlParserFactory

public class SecureXmlParserFactory
extends Object

Factory for XML Parsers that prevent XML External Entity attacks. Those attacks occur when untrusted XML input containing a reference to an external entity is processed by a weakly configured XML parser.

Author:

Ullrich Hafner

See Also:

XML External Entity Prevention Cheat Sheet, XML parsers should not be vulnerable to XXE attacks

Constructor Summary

Constructors

Constructor	Description
SecureXmlParserFactory()

Method Summary

Modifier and Type	Method	Description
void	configureSaxParserFactory(SAXParserFactory factory)	Configures a SAXParserFactory so that it does not resolve external entities.
DocumentBuilder	createDocumentBuilder()	Creates a new instance of a DocumentBuilder that does not resolve external entities.
SAXParser	createSaxParser()	Creates a new instance of a SAXParser that does not resolve external entities.
Transformer	createTransformer()	Creates a Transformer that does not resolve external entities and stylesheets.
XMLStreamReader	createXmlStreamReader(Reader reader)	Creates a new instance of a XMLStreamReader that does not resolve external entities.
void	parse(Reader reader, Charset charset, DefaultHandler handler)	Creates a SAXParser that does not resolve external entities and parses the provided content with the given SAX DefaultHandler.
Document	readDocument(Reader reader, Charset charset)	Parses the provided content into a Document.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

SecureXmlParserFactory

public SecureXmlParserFactory()

Method Detail

createDocumentBuilder

public DocumentBuilder createDocumentBuilder()

Creates a new instance of a DocumentBuilder that does not resolve external entities.

Returns:

a new instance of a DocumentBuilder

createSaxParser

public SAXParser createSaxParser()

Creates a new instance of a SAXParser that does not resolve external entities.

Returns:

a new instance of a SAXParser

configureSaxParserFactory

public void configureSaxParserFactory(SAXParserFactory factory)

Configures a SAXParserFactory so that it does not resolve external entities.

Parameters:

factory - the facotry to configure

createXmlStreamReader

public XMLStreamReader createXmlStreamReader(Reader reader)

Creates a new instance of a XMLStreamReader that does not resolve external entities.

Parameters:

reader - the reader to wrap

Returns:

a new instance of a XMLStreamReader

parse

public void parse(Reader reader,
                  Charset charset,
                  DefaultHandler handler)

Creates a SAXParser that does not resolve external entities and parses the provided content with the given SAX DefaultHandler.

Parameters:

reader - the content that should be parsed

charset - the charset to use when reading the content

handler - the SAX handler to parse the file

Throws:

ParsingException - if the file could not be parsed

readDocument

public Document readDocument(Reader reader,
                             Charset charset)

Parses the provided content into a Document.

Parameters:

reader - the content that should be parsed

charset - the charset to use when reading the content

Returns:

the file content as document

Throws:

ParsingException - if the file could not be parsed

createTransformer

public Transformer createTransformer()

Creates a Transformer that does not resolve external entities and stylesheets.

Returns:

the created Transformer