ppkarwasz commented on PR #18:
URL: https://github.com/apache/commons-xml/pull/18#issuecomment-4914693226

   @elharo, could you take a look at this?
   
   Various implementations have different mechanisms to prevent external 
fetches, but is seems that only **resolvers** give a 100% guarantee. For 
example JAXP 1.5 introduces all these nice `ACCESS_EXTERNAL_*` properties, but:
   
   - For DOM and SAX, no `ACCESS_EXTERNAL_*` property regulates XInclude,
   - For StaX `ACCESS_EXTERNAL_*` properties are not recognized.
   
   Therefore the plan is:
   
   - In this PR introduce wrappers of every JAXP object that preinstalls a 
deny-all resolver, which can not be removed by the user, only chained. If a 
user resolver returns `null`, the deny-all behavior is triggered. This PR 
mostly fills the `SAXParser.parse(..., DefaultHandler)` path, were a user 
inadvertently might pass a null-returning resolver.
   - In the next PR I'll remove the usage of `ACCESS_EXTERNAL_*` for JDK 
implementations and convert everything to use the deny-all resolvers.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to