Commit 50c21568c076a59d10a57c47c06570f2f81a13fd

Authored by Alan Davis
1 parent ea483d902f
Exists in master

REPO-480 Extended XmlFactory (JAXP DocumentBuilderFactory and SAXParserFactory)

- decision that FEATURE_DISALLOW_DOCTYPE was too restrictive and that other features would be fine on their own.
src/main/java/org/alfresco/xmlfactory/FactoryHelper.java
... ... @@ -60,29 +60,27 @@ class FactoryHelper
60 60 FEATURE_LOAD_EXTERNAL_DTD,
61 61  
62 62 ADDITIONAL_FEATURE_X_INCLUDE_AWARE
63   -// TODO uncomment: Having this commented out takes XmlFactory back to how it was before the latest changes
64   -// , ADDITIONAL_FEATURE_EXPAND_ENTITY_REFERENCES
  63 + , ADDITIONAL_FEATURE_EXPAND_ENTITY_REFERENCES
65 64 )));
66 65  
67 66 final static List<String> DEFAULT_FEATURES_TO_ENABLE = Collections.unmodifiableList(new ArrayList<>(
68 67 Arrays.asList(
69 68 XMLConstants.FEATURE_SECURE_PROCESSING
70   -// TODO uncomment: Having this commented out takes XmlFactory back to how it was before the latest changes
71   -// , FEATURE_DISALLOW_DOCTYPE
  69 + // Disllowing DOCTYPE disables too much in terms of transformations
  70 + // , FEATURE_DISALLOW_DOCTYPE
72 71 )));
73 72  
74 73 /* white list of classes that can use the parsers with no security restrictions */
75 74 final static List<String> DEFAULT_WHITE_LIST_CALLERS = Collections.unmodifiableList(new ArrayList<>(
76 75 Arrays.asList(
77   -// TODO uncomment: Having this commented out takes XmlFactory back to how it was before the latest changes
78   -// "com.sun.xml.ws.transport.http.servlet.WSServletContextListener",
79   -// "org.springframework.beans.factory.xml.XmlBeanDefinitionReader",
80   -// "org.springframework.beans.factory.support.AbstractBeanFactory",
81   -// "org.apache.myfaces.config.FacesConfigurator",
82   -// "org.hibernate.cfg.Configuration",
83   -// "org.alfresco.ibatis.HierarchicalXMLConfigBuilder",
84   -// "org.alfresco.repo.security.permissions.impl.model.PermissionModel",
85   -// "org.activiti.engine.impl.cfg.ProcessEngineConfigurationImpl"
  76 + "com.sun.xml.ws.transport.http.servlet.WSServletContextListener",
  77 + "org.springframework.beans.factory.xml.XmlBeanDefinitionReader",
  78 + "org.springframework.beans.factory.support.AbstractBeanFactory",
  79 + "org.apache.myfaces.config.FacesConfigurator",
  80 + "org.hibernate.cfg.Configuration",
  81 + "org.alfresco.ibatis.HierarchicalXMLConfigBuilder",
  82 + "org.alfresco.repo.security.permissions.impl.model.PermissionModel",
  83 + "org.activiti.engine.impl.cfg.ProcessEngineConfigurationImpl"
86 84 )));
87 85  
88 86 // Property names used to configure the factories
... ...
src/test/java/org/alfresco/xmlfactory/AppTest.java
... ... @@ -71,16 +71,15 @@ public class AppTest
71 71 DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
72 72  
73 73 assertTrue(dbf.getFeature(XMLConstants.FEATURE_SECURE_PROCESSING));
74   -// TODO uncomment: Having this commented out takes XmlFactory back to how it was before the latest changes
75   -// assertTrue(dbf.getFeature(FactoryHelper.FEATURE_DISALLOW_DOCTYPE));
  74 + // Disllowing DOCTYPE disables too much in terms of transformations
  75 + // assertTrue(dbf.getFeature(FactoryHelper.FEATURE_DISALLOW_DOCTYPE));
76 76  
77 77 assertFalse(dbf.getFeature(FactoryHelper.FEATURE_EXTERNAL_GENERAL_ENTITIES));
78 78 assertFalse(dbf.getFeature(FactoryHelper.FEATURE_EXTERNAL_PARAMETER_ENTITIES));
79 79 assertFalse(dbf.getFeature(FactoryHelper.FEATURE_USE_ENTITY_RESOLVER2));
80 80 assertFalse(dbf.getFeature(FactoryHelper.FEATURE_LOAD_EXTERNAL_DTD));
81 81  
82   -// TODO uncomment: Having this commented out takes XmlFactory back to how it was before the latest changes
83   -// assertFalse(dbf.isExpandEntityReferences());
  82 + assertFalse(dbf.isExpandEntityReferences());
84 83 assertFalse(dbf.isXIncludeAware());
85 84 }
86 85  
... ... @@ -92,8 +91,8 @@ public class AppTest
92 91 SAXParserFactory spf = SAXParserFactory.newInstance();
93 92  
94 93 assertTrue(spf.getFeature(XMLConstants.FEATURE_SECURE_PROCESSING));
95   -// TODO uncomment: Having this commented out takes XmlFactory back to how it was before the latest changes
96   -// assertTrue(spf.getFeature(FactoryHelper.FEATURE_DISALLOW_DOCTYPE));
  94 + // Disllowing DOCTYPE disables too much in terms of transformations
  95 + // assertTrue(dbf.getFeature(FactoryHelper.FEATURE_DISALLOW_DOCTYPE));
97 96  
98 97 assertFalse(spf.getFeature(FactoryHelper.FEATURE_EXTERNAL_GENERAL_ENTITIES));
99 98 assertFalse(spf.getFeature(FactoryHelper.FEATURE_EXTERNAL_PARAMETER_ENTITIES));
... ...