解決方式整合一下,就分兩種:
1、用setFeature()
SAXReader reader = new SAXReader();
reader.setValidation(false); reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
...
2、用setEntityResolver()
SAXReader reader = new SAXReader();
reader.setValidation(false); reader.setEntityResolver(new EntityResolver() { @Override public InputSource resolveEntity(String publicId, String systemId) throws SAXException, IOException { return new InputSource(new ByteArrayInputStream("<?xml version='1.0' encoding='UTF-8'?>".getBytes())); } });
...
這個問題,平時不會去注意,這次記錄的主要原因是,在做自定義xml文件解析成key-vlue的形式時,發現時間略長,影響體驗,故而mark一下。
參考:
setFeature的妙用,解析XML時,外部注入預防即XXE攻擊
http://xerces.apache.org/xerces-j/features.html
XML防止XXE攻擊
描述
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
解決方案:
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#SAXReader
參考:
結合來做就是:
spf.setFeature("http://xml.org/sax/features/external-general-entities", false);
spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
spf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);