don't allow SAX parser to accept DTDs

git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1893075 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/poi-ooxml/src/test/java/org/apache/poi/xssf/usermodel/TestXSSFBugs.java b/poi-ooxml/src/test/java/org/apache/poi/xssf/usermodel/TestXSSFBugs.java
index cb736d599ef7303d34bc6aeb4be22fd4a76f8dcc..29bbde1239e98427e29fd25558ef6e6b046f2195 100644 (file)
--- a/poi-ooxml/src/test/java/org/apache/poi/xssf/usermodel/TestXSSFBugs.java
+++ b/poi-ooxml/src/test/java/org/apache/poi/xssf/usermodel/TestXSSFBugs.java
@@ -1887,7 +1887,7 @@ public final class TestXSSFBugs extends BaseTestBugzillaIssues {
             SAXParseException e = assertThrows(SAXParseException.class,
                 () -> reader.parse(new InputSource(zip.getInputStream(ze))));
             assertNotNull(e.getMessage());
-            assertTrue(e.getMessage().contains("more than \"1\" entity"));
+            assertNotEquals(isOldXercesActive(), e.getMessage().contains("DOCTYPE is disallowed when the feature"));
         }
     }
 

diff --git a/poi/src/main/java/org/apache/poi/util/XMLHelper.java b/poi/src/main/java/org/apache/poi/util/XMLHelper.java
index e27c976d286d533a605d03f1fc025df4e2bc3b2a..87a481b04ce65d970f74f91f66f41c8b7509b4d7 100644 (file)
--- a/poi/src/main/java/org/apache/poi/util/XMLHelper.java
+++ b/poi/src/main/java/org/apache/poi/util/XMLHelper.java
@@ -157,6 +157,7 @@ public final class XMLHelper {
             trySet(factory::setFeature, FEATURE_LOAD_DTD_GRAMMAR, false);
             trySet(factory::setFeature, FEATURE_LOAD_EXTERNAL_DTD, false);
             trySet(factory::setFeature, FEATURE_EXTERNAL_ENTITIES, false);
+            trySet(factory::setFeature, FEATURE_DISALLOW_DOCTYPE_DECL, true);
             return factory;
         } catch (RuntimeException | Error re) { // NOSONAR
             // this also catches NoClassDefFoundError, which may be due to a local class path issue