Merge pull request #2419 from codelibs/ds_load-external-dtd

Set load-external-dtd as false by default
2020-03-03 20:49:22 +09:00 · 2020-03-03 20:49:22 +09:00 · ee10c1b2bc
commit ee10c1b2bc
parent d5458fa95e 63a93a6a0f
1 changed files with 2 additions and 0 deletions
--- a/src/main/java/org/codelibs/fess/ds/DataStoreFactory.java
+++ b/src/main/java/org/codelibs/fess/ds/DataStoreFactory.java
@ -35,6 +35,7 @@ import javax.xml.parsers.DocumentBuilderFactory;

 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
+import org.apache.xerces.impl.Constants;
 import org.codelibs.core.lang.StringUtil;
 import org.codelibs.fess.helper.PluginHelper;
 import org.codelibs.fess.util.ResourceUtil;
@ -87,6 +88,7 @@ public class DataStoreFactory {
                try (InputStream is = Files.newInputStream(xmlPath)) {
                    final DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
                    factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+                    factory.setFeature(Constants.XERCES_FEATURE_PREFIX + Constants.LOAD_EXTERNAL_DTD_FEATURE, false);
                    final DocumentBuilder builder = factory.newDocumentBuilder();

                    final Document doc = builder.parse(is);