Package edu.hm.hafner.analysis

Class SecureXmlParserFactory

java.lang.Object

edu.hm.hafner.analysis.SecureXmlParserFactory

public class SecureXmlParserFactory
extends Object

Factory for XML Parsers that prevent XML External Entity attacks. Those attacks occur when untrusted XML input containing a reference to an external entity is processed by a weakly configured XML parser.

Author:

Ullrich Hafner

See Also:

• XML External Entity Prevention Cheat Sheet
• XML parsers should not be vulnerable to XXE attacks

Constructor Summary

Constructors

Constructor	Description
SecureXmlParserFactory()

Method Summary

Modifier and Type	Method	Description
void	configureSaxParserFactory(SAXParserFactory factory)	Configures a SAXParserFactory so that it does not resolve external entities.
DocumentBuilder	createDocumentBuilder()	Creates a new instance of a DocumentBuilder that does not resolve external entities.
SAXParser	createSaxParser()	Creates a new instance of a SAXParser that does not resolve external entities.
Transformer	createTransformer()	Creates a Transformer that does not resolve external entities and stylesheets.
XMLStreamReader	createXmlStreamReader(Reader reader)	Creates a new instance of a XMLStreamReader that does not resolve external entities.
void	parse(Reader reader, Charset charset, DefaultHandler handler)	Creates a SAXParser that does not resolve external entities and parses the provided content with the given SAX DefaultHandler.
Document	readDocument(Reader reader, Charset charset)	Parses the provided content into a Document.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

SecureXmlParserFactory

public SecureXmlParserFactory()

Method Details

createDocumentBuilder

public DocumentBuilder createDocumentBuilder()

Creates a new instance of a DocumentBuilder that does not resolve external entities.

Returns:

a new instance of a DocumentBuilder

createSaxParser

public SAXParser createSaxParser()

Creates a new instance of a SAXParser that does not resolve external entities.

Returns:

a new instance of a SAXParser

configureSaxParserFactory

public void configureSaxParserFactory(SAXParserFactory factory)

Configures a SAXParserFactory so that it does not resolve external entities.

Parameters:

factory - the facotry to configure

createXmlStreamReader

public XMLStreamReader createXmlStreamReader(Reader reader)

Creates a new instance of a XMLStreamReader that does not resolve external entities.

Parameters:

reader - the reader to wrap

Returns:

a new instance of a XMLStreamReader

parse

public void parse(Reader reader,
 Charset charset,
 DefaultHandler handler)

Creates a SAXParser that does not resolve external entities and parses the provided content with the given SAX DefaultHandler.

Parameters:

reader - the content that should be parsed

charset - the charset to use when reading the content

handler - the SAX handler to parse the file

Throws:

ParsingException - if the file could not be parsed

readDocument

public Document readDocument(Reader reader,
 Charset charset)

Parses the provided content into a Document.

Parameters:

reader - the content that should be parsed

charset - the charset to use when reading the content

Returns:

the file content as document

Throws:

ParsingException - if the file could not be parsed

createTransformer

public Transformer createTransformer()

Creates a Transformer that does not resolve external entities and stylesheets.

Returns:

the created Transformer