Commit bf5093e774acdb935f99ff606d8a5f843933f3c1

Authored by Alan Davis
1 parent db3840b094
Exists in master

REPO-480 Platform XXE protection implements OWASP recommendations

- Tidy up comment about configuration.
src/main/java/org/alfresco/xmlfactory/FactoryHelper.java
... ... @@ -213,10 +213,11 @@ public class FactoryHelper
213 213  
214 214 /**
215 215 * Returns a List of features (to be enabled or disabled) or class names (to be included in a caller white list) for
216   - * a factory. This method uses a similar approach to the one used to select the JAXP factories in the first place.
217   - * The following order is used to find a semicolon separated list of values:
218   - * <li>A system property {@code}&lt;factoryName>.<propertyNameSuffix>{@code} if it exists and is accessible
219   - * (for example {@code}javax.xml.parsers.SAXParserFactory.enable{@code}=...).</li>
  216 + * a factory. A similar approach to the one used to select the JAXP factories in the first place is used to find a
  217 + * property value for each configurable value. The property names are: {@code}features.to.enable{@code},
  218 + * {@code}features.to.disable{@code} and {@code}white.list.callers{@code}. The following order is used to find a
  219 + * semicolon separated list of values for each property:
  220 + * <li>A system property {@code}&lt;factoryName>.<propertyName>{@code} if it exists and is accessible.</li>
220 221 * <li>A property in {@code}$JAVA_HOME/lib/&lt;factoryName>.properties{@code} if it exists.</li>
221 222 * <li>A property in {@code}META-INF/services/&lt;factoryName>.properties{@code} if it exists.</li>
222 223 * <li>The {@code}deafultFeatures{@code} parameter passed to this method.</li>
... ...