Skip to content

SafeXmlUtils

SafeXmlUtils is a class used in our library, in projects like iso20022 and Integrator.

This class provides mechanisms for creating secure XML parsers and transformers, focusing on mitigating XXE (XML External Entity) attacks.

The features of SafeXmlUtils are dependent on the implementation of XML APIs and have known issues with various versions of Xerces and Xalan. If an error occurs due to a feature not present in the environment, you can examine the XML-related dependencies and replace those that do not support the necessary feature.

Configuration for Ignoring Unsupported Features

In situations where dependencies cannot be modified to support a required XML feature, SafeXmlUtils allows for the bypassing of unsupported features by adding a property file to the classpath.

Configuration Steps:

  1. Property File: Create a file named pw-swift-core.properties and place it in the classpath of your project.
  2. Properties Definition: Define the property safeXmlUtils.ignore in this file. Assign to this property a comma-separated list of XML features that should be ignored by SafeXmlUtils. For example:

safeXmlUtils.ignore=http://xml.org/sax/features/external-general-entities,http://apache.org/xml/features/disallow-doctype-decl

By listing features in this property, SafeXmlUtils will skip them, thereby preventing exceptions related to these features not being available in the runtime environment.

Implementation Details

SafeXmlUtils includes several methods tailored to create various types of XML parsers and transformers with safety configurations. These methods apply or bypass specific XML features based on the project’s environment and needs. Key methods include:

  • documentBuilder(boolean namespaceAware): Configures a DocumentBuilder with safety features.
  • reader(boolean namespaceAware, Schema schema): Creates a SAX parser with customized features.
  • inputFactory(): Sets up a StAX parser with specific security settings.
  • transformer(): Provides a Transformer with restricted access to external DTD and Stylesheets.
  • schemaFactory(): Configures a SchemaFactory with limited external DTD access.
  • validator(Schema schema): Creates a Validator with controlled access to external DTD and Schema.

Each of these methods handles specific XML features like "http://xml.org/sax/features/external-general-entities", "http://apache.org/xml/features/disallow-doctype-decl", and others, ensuring that only secure and supported XML processing features are utilized.