Hello, Joseph Kesselman wrote on 7. Mar 2024 19:41 (GMT +01:00):
> What concerns are you actually trying to address? The main concern here typically are DOS protection and generally constrained Resource usage when libraries parse and execute things. … > And I *think* I remember Xerces adding the ability to limit depth of > parsed entity recursion, if you're worried about abuse of those. Yes Xerces has the Security Manager, and the JDK jax-p makes use of that with stricter defaults for them when FEATURE_SECURE_PROCESSING is requested. The secureValues of the limits are used then: https://github.com/openjdk/jdk/blob/7c5e6e74c8f559be919cea63ebf7004cda80ae75/src/java.xml/share/classes/jdk/xml/internal/XMLSecurityManager.java#L139 When you go Jackson or DOM all is pretty bleak, however. And you still need to do accounting of allocations in your own code and handlers. Gruß Bernd — https://bernd.eckenfels.net --------------------------------------------------------------------- To unsubscribe, e-mail: j-users-unsubscr...@xerces.apache.org For additional commands, e-mail: j-users-h...@xerces.apache.org
