3.8.1 Overview
From version 1.3 onwards, JAXP provides secure processing functionality to achieve secure (safe) processing in XML parsing. This functionality suppresses processing of suspicious XML code that can trigger a denial-of-service (DoS) attack by placing restrictions on the entities defined in the DTD or the values of maxOccurs attributes specified in the XML schema. For the classes listed later, use the setFeature method to set a feature that enables the secure processing functionality. How to use the feature is described in the following table. For more details, see the JSR 206 JavaTM API for XML Processing (JAXP) 1.4 specifications and the Javadoc documentation for the setFeature method of each listed class.
-
javax.xml.parsers.SAXParserFactory
-
javax.xml.parsers.DocumentBuilderFactory
-
javax.xml.transform.TransformerFactory
-
javax.xml.validation.SchemaFactory
-
javax.xml.xpath.XPathFactory
Table 3‒13: How to use the feature Feature name
Operation
Value
http://javax.xml.XMLConstants/feature/secure-processing
Enable the functionality
true
Disable the functionality
false
In XMLP 09-50-03 or earlier, the secure processing functionality was disabled by default. In XMLP 09-50-04 or later, however, the functionality is enabled by default for some API methods. For the items subject to limit value checking, the functionality has been enhanced so that the limit values can be changed, and more items can be subject to restrictions on entities. In addition, the system property for compatibility is provided to retain the system behavior shown before the functionality was supported.