Disable access to external entities, fixes apache#4401

hansva · Oct 9, 2024 · 6e2d6ba · 6e2d6ba
1 parent 25c70d0
commit 6e2d6ba
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/core/src/main/java/org/apache/hop/core/xml/XmlHandler.java b/core/src/main/java/org/apache/hop/core/xml/XmlHandler.java
@@ -737,7 +737,8 @@ public static TransformerFactory createSecureTransformerFactory() {
     try {
       transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
       transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
-    } catch (IllegalArgumentException e) {
+      transformerFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+    } catch (IllegalArgumentException | TransformerException e) {
       // Ignore this: the library doesn't support these features.
       // We don't need to disable them.
     }