Rather than having lots of classes all create their own XML DocumentBuilderFactory instance, push that logic to a helper which sets all the right defaults

git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1587739 13f79535-47bb-0310-9956-ffa450edef68

2 files changed, 50 insertions, 2 deletions

diff --git a/src/java/org/apache/poi/dev/RecordGenerator.java b/src/java/org/apache/poi/dev/RecordGenerator.java
index 56198b6b5c..9aa074de25 100644
--- a/src/java/org/apache/poi/dev/RecordGenerator.java
+++ b/src/java/org/apache/poi/dev/RecordGenerator.java
@@ -34,6 +34,7 @@ import javax.xml.transform.TransformerFactory;
 import javax.xml.transform.stream.StreamResult;
 import javax.xml.transform.stream.StreamSource;
 
+import org.apache.poi.util.XMLHelper;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 
@@ -76,8 +77,7 @@ public class RecordGenerator {
                     )
                     ) {
                 // Get record name and package
-                DocumentBuilderFactory factory =
-                        DocumentBuilderFactory.newInstance();
+                DocumentBuilderFactory factory = XMLHelper.getDocumentBuilderFactory();
                 DocumentBuilder builder = factory.newDocumentBuilder();
                 Document document = builder.parse(file);
                 Element record = document.getDocumentElement();
diff --git a/src/java/org/apache/poi/util/XMLHelper.java b/src/java/org/apache/poi/util/XMLHelper.java
new file mode 100644
index 0000000000..f2da607762
--- /dev/null
+++ b/src/java/org/apache/poi/util/XMLHelper.java
@@ -0,0 +1,48 @@
+/* ====================================================================
+   Licensed to the Apache Software Foundation (ASF) under one or more
+   contributor license agreements.  See the NOTICE file distributed with
+   this work for additional information regarding copyright ownership.
+   The ASF licenses this file to You under the Apache License, Version 2.0
+   (the "License"); you may not use this file except in compliance with
+   the License.  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+==================================================================== */
+
+package org.apache.poi.util;
+
+import javax.xml.XMLConstants;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
+
+/**
+ * Helper methods for working with javax.xml classes.
+ * @see SAXHelper
+ */
+public final class XMLHelper
+{
+    /**
+     * Creates a new DocumentBuilderFactory, with sensible defaults
+     */
+    public static DocumentBuilderFactory getDocumentBuilderFactory() {
+        try {
+            DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+            factory.setXIncludeAware(false);
+            factory.setExpandEntityReferences(false);
+            factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+            factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+            factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+            factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+            factory.setFeature("http://apache.org/xml/features/nonvalidating/load-dtd-grammar", false);
+            return factory;
+        } catch (ParserConfigurationException e) {
+            throw new RuntimeException("Broken XML Setup", e);
+        }
+    }
+}