(syncope) branch master updated: Fixing SAXParserFactory init (#1284)

[ilgrosso]

This is an automated email from the ASF dual-hosted git repository.

ilgrosso pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/syncope.git


The following commit(s) were added to refs/heads/master by this push:
     new dcd10ae8e0 Fixing SAXParserFactory init (#1284)
dcd10ae8e0 is described below

commit dcd10ae8e0691aed9584a5cce5094e096244090f
Author: Francesco Chicchiriccò <ilgro...@users.noreply.github.com>
AuthorDate: Fri Jan 16 13:49:56 2026 +0100

    Fixing SAXParserFactory init (#1284)
---
 .../syncope/client/console/panels/ParametersModalPanel.java    | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git 
a/client/idrepo/console/src/main/java/org/apache/syncope/client/console/panels/ParametersModalPanel.java
 
b/client/idrepo/console/src/main/java/org/apache/syncope/client/console/panels/ParametersModalPanel.java
index 58725545f7..4d7caad4d3 100644
--- 
a/client/idrepo/console/src/main/java/org/apache/syncope/client/console/panels/ParametersModalPanel.java
+++ 
b/client/idrepo/console/src/main/java/org/apache/syncope/client/console/panels/ParametersModalPanel.java
@@ -27,6 +27,7 @@ import java.io.StringReader;
 import java.text.ParseException;
 import java.util.Base64;
 import java.util.Set;
+import javax.xml.XMLConstants;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.parsers.SAXParserFactory;
 import org.apache.commons.lang3.time.DateFormatUtils;
@@ -48,8 +49,6 @@ public class ParametersModalPanel extends 
AbstractModalPanel<ConfParam> {
 
     protected static final JsonMapper JSON_MAPPER = 
JsonMapper.builder().findAndAddModules().build();
 
-    protected static final SAXParserFactory SAX_PARSER_FACTORY = 
SAXParserFactory.newInstance();
-
     protected static boolean isDate(final String value) {
         try {
             
DateFormatUtils.ISO_8601_EXTENDED_DATETIME_TIME_ZONE_FORMAT.parse(value);
@@ -79,9 +78,12 @@ public class ParametersModalPanel extends 
AbstractModalPanel<ConfParam> {
 
     protected static boolean isXML(final String value) {
         try {
-            SAX_PARSER_FACTORY.newSAXParser().getXMLReader().parse(new 
InputSource(new StringReader(value)));
+            SAXParserFactory factory = SAXParserFactory.newInstance();
+            factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, 
Boolean.TRUE);
+            
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, 
true);
+            factory.newSAXParser().getXMLReader().parse(new InputSource(new 
StringReader(value)));
             return true;
-        } catch (IOException | ParserConfigurationException | SAXException 
xmle) {
+        } catch (IOException | ParserConfigurationException | SAXException e) {
             return false;
         }
     }