From 6df937ec6bde5aad5dbcd9cbc558cc623b24a406 Mon Sep 17 00:00:00 2001 From: PJ Fanning Date: Sat, 24 Jun 2017 07:30:07 +0000 Subject: Add StaxHelper to ensure that StAX parsers have sensible defaults, including settings to avoid XML Entity Expansion issues git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1799734 13f79535-47bb-0310-9956-ffa450edef68 --- .../org/apache/poi/sl/draw/DrawSimpleShape.java | 3 +- .../apache/poi/sl/draw/geom/PresetGeometries.java | 3 +- src/java/org/apache/poi/util/StaxHelper.java | 52 ++++++++++++++++++++++ 3 files changed, 56 insertions(+), 2 deletions(-) create mode 100644 src/java/org/apache/poi/util/StaxHelper.java (limited to 'src/java') diff --git a/src/java/org/apache/poi/sl/draw/DrawSimpleShape.java b/src/java/org/apache/poi/sl/draw/DrawSimpleShape.java index d2e9991e1e..912cf3e7a0 100644 --- a/src/java/org/apache/poi/sl/draw/DrawSimpleShape.java +++ b/src/java/org/apache/poi/sl/draw/DrawSimpleShape.java @@ -53,6 +53,7 @@ import org.apache.poi.sl.usermodel.PaintStyle.SolidPaint; import org.apache.poi.sl.usermodel.Shadow; import org.apache.poi.sl.usermodel.SimpleShape; import org.apache.poi.util.IOUtils; +import org.apache.poi.util.StaxHelper; import org.apache.poi.util.Units; @@ -363,7 +364,7 @@ public class DrawSimpleShape extends DrawShape { }; try { - XMLInputFactory staxFactory = XMLInputFactory.newInstance(); + XMLInputFactory staxFactory = StaxHelper.newXMLInputFactory(); XMLEventReader staxReader = staxFactory.createXMLEventReader(presetIS); XMLEventReader staxFiltRd = staxFactory.createFilteredReader(staxReader, startElementFilter); // Ignore StartElement: diff --git a/src/java/org/apache/poi/sl/draw/geom/PresetGeometries.java b/src/java/org/apache/poi/sl/draw/geom/PresetGeometries.java index ad2553fbe7..a188e6e255 100644 --- a/src/java/org/apache/poi/sl/draw/geom/PresetGeometries.java +++ b/src/java/org/apache/poi/sl/draw/geom/PresetGeometries.java @@ -37,6 +37,7 @@ import javax.xml.stream.events.XMLEvent; import org.apache.poi.sl.draw.binding.CTCustomGeometry2D; import org.apache.poi.util.POILogFactory; import org.apache.poi.util.POILogger; +import org.apache.poi.util.StaxHelper; /** * @@ -59,7 +60,7 @@ public class PresetGeometries extends LinkedHashMap { } }; - XMLInputFactory staxFactory = XMLInputFactory.newFactory(); + XMLInputFactory staxFactory = StaxHelper.newXMLInputFactory(); XMLEventReader staxReader = staxFactory.createXMLEventReader(is); XMLEventReader staxFiltRd = staxFactory.createFilteredReader(staxReader, startElementFilter); // ignore StartElement: diff --git a/src/java/org/apache/poi/util/StaxHelper.java b/src/java/org/apache/poi/util/StaxHelper.java new file mode 100644 index 0000000000..ae526d73b7 --- /dev/null +++ b/src/java/org/apache/poi/util/StaxHelper.java @@ -0,0 +1,52 @@ +/* ==================================================================== + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +==================================================================== */ + +package org.apache.poi.util; + +import javax.xml.stream.XMLInputFactory; + + +/** + * Provides handy methods for working with StAX parsers and readers + */ +public final class StaxHelper { + private static final POILogger logger = POILogFactory.getLogger(StaxHelper.class); + + private StaxHelper() {} + + /** + * Creates a new StAX XMLInputFactory, with sensible defaults + */ + public static XMLInputFactory newXMLInputFactory() { + XMLInputFactory factory = XMLInputFactory.newFactory(); + trySetProperty(factory, XMLInputFactory.IS_NAMESPACE_AWARE, true); + trySetProperty(factory, XMLInputFactory.IS_VALIDATING, false); + trySetProperty(factory, XMLInputFactory.SUPPORT_DTD, false); + trySetProperty(factory, XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false); + return factory; + } + + private static void trySetProperty(XMLInputFactory factory, String feature, boolean flag) { + try { + factory.setProperty(feature, flag); + } catch (Exception e) { + logger.log(POILogger.WARN, "StAX Property unsupported", feature, e); + } catch (AbstractMethodError ame) { + logger.log(POILogger.WARN, "Cannot set StAX property because outdated StAX parser in classpath", feature, ame); + } + } +} -- cgit v1.2.3