Add SAXReader sec features to match the defaults

Description

Add SAXReader sec features to match the defaults ...

In relevance to https://github.com/dom4j/dom4j/commit/a8228522a99a02146106672a34c104adbda5c658
the default SAXReader contains the following features :

reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);

Environment

None

Activity

Show:
Panagiotis Sotiropoulos
April 20, 2020, 1:29 PM
Scott Marlow
April 20, 2020, 2:57 PM

Is this needed in addition to HHH-13953?

Gail Badner
April 20, 2020, 8:15 PM
Gail Badner
April 20, 2020, 8:17 PM
Panagiotis Sotiropoulos
April 20, 2020, 9:14 PM

The default SAXReader in the new dom4j version, has these security defaults.
I think it would be a good idea, not to use fewer security SAXReader features than the default one.
Maybe additional features are needed.

Assignee

Panagiotis Sotiropoulos

Reporter

Panagiotis Sotiropoulos

Fix versions

Labels

None

backPortable

None

Suitable for new contributors

None

Requires Release Note

None

Pull Request

None

backportDecision

Approved

Priority

Major
Configure