[jdom-interest] How to disable <!DOCTYPE > parsing
raff at aromatic.org
Thu Dec 16 15:07:11 PST 2004
I am pretty sure this is not a specific JDOM problem but I wanted to see
if any of you has an idea.
I am parsing some XML data using JDOM and SAXBuilder. The data is posted
by a web client to execute some server-side APIs. The format is very
simple so I don't have a DTD or schema for it. Also, I parse the document
with no validation (since I don't have a DTD to validate against).
Somebody, to test our "security holes" came up with the idea of passing a
<!DOCTYPE > anyway with an arbitrary URL for the DTD and what do you know,
the XML parser, validation or not, tries to access it (so they claim is a
security hole because they can generate accesses from our server to
whatever server they put in the DTD URL. Pretty clever actually!)
Again, I think this is a problem with the XML parser I am using. I found
out that Xalan has a special "feature" to disable DTD parsing (but I
didn't try because I don't want to use Xalan for this).
First of all, should this happen if validation is disabled ?
If that's out of JDOM control, can anybody think of a way to disable this
at the XML parser level (maybe subclassing some handler ?)
More information about the jdom-interest