Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WstxSAXParser does not inherit the factory configuration #226

Open
coreders opened this issue Jan 14, 2025 · 2 comments
Open

WstxSAXParser does not inherit the factory configuration #226

coreders opened this issue Jan 14, 2025 · 2 comments
Labels
pr-welcome Issue for which progress most likely if someone submits a Pull Request

Comments

@coreders
Copy link

The WstxSAXParser constructor seems to mostly ignore configuration from the provided factory and uses some fixed values:

woodstox/src/main/java/com/ctc/wstx/sax/WstxSAXParser.java

Line 222 in 012a512

mConfig.setDtdResolver(r);

It looks like the doSupportDTDs and resolver could have been inherited from the factory here.

Example code to reproduce:

WstxInputFactory inputFactory = new WstxInputFactory();
inputFactory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES, true);
inputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, true);
inputFactory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, true);
inputFactory.setXMLResolver(new XMLResolver() {
			@Override
			public Object resolveEntity(String publicID, String systemID, String baseURI, String namespace)
					throws XMLStreamException {
				return "";
			}
		});
WstxSAXParserFactory factory = new WstxSAXParserFactory(xmlInputFactory);
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
...

//expectation: this parser is configured as per above configuration and quietly ignores external entities, it does not work unless the resolver is set again on the parser itself explicitly
factory .newSAXParser();

The handling of the features flags in WstxSAXParser is also a bit suspicious as most seem to have a fixed value rather than reflecting the factory features.
@cowtowncoder
Copy link
Member

Thank you for reporting the issue -- you are probably right in that settings are not being propagated. One challenge may be that Stax and SAX configuration are not exactly 1-to-1 mappable, but then again underlying Woodstox configuration should be valid.

@cowtowncoder cowtowncoder added the pr-welcome Issue for which progress most likely if someone submits a Pull Request label Jan 14, 2025
@cowtowncoder
Copy link
Member

And as usual, while I may not have time to work on this immediately, if anyone has time and itch I will make time to help with PRs submitted. :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
pr-welcome Issue for which progress most likely if someone submits a Pull Request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cowtowncoder @coreders