From 6e63f99fb2fc07f9a9690ce14e8f99cb045b6d4a Mon Sep 17 00:00:00 2001
From: Simon Steiner <ssteiner@apache.org>
Date: Wed, 16 Nov 2016 12:33:32 +0000
Subject: FOP-2668: Dont load DTDs

git-svn-id: https://svn.apache.org/repos/asf/xmlgraphics/fop/trunk@1769967 13f79535-47bb-0310-9956-ffa450edef68
---
 fop-core/src/main/java/org/apache/fop/cli/InputHandler.java   | 1 +
 fop-core/src/main/java/org/apache/fop/servlet/FopServlet.java | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/fop-core/src/main/java/org/apache/fop/cli/InputHandler.java b/fop-core/src/main/java/org/apache/fop/cli/InputHandler.java
index 5b9d2fd77..29d1c0c11 100644
--- a/fop-core/src/main/java/org/apache/fop/cli/InputHandler.java
+++ b/fop-core/src/main/java/org/apache/fop/cli/InputHandler.java
@@ -244,6 +244,7 @@ public class InputHandler implements ErrorListener, Renderable {
         SAXParserFactory spf = SAXParserFactory.newInstance();
         spf.setFeature("http://xml.org/sax/features/namespaces", true);
         spf.setFeature("http://apache.org/xml/features/xinclude", true);
+        spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
         XMLReader xr = spf.newSAXParser().getXMLReader();
         return xr;
     }
diff --git a/fop-core/src/main/java/org/apache/fop/servlet/FopServlet.java b/fop-core/src/main/java/org/apache/fop/servlet/FopServlet.java
index f06486c2b..0250415f2 100644
--- a/fop-core/src/main/java/org/apache/fop/servlet/FopServlet.java
+++ b/fop-core/src/main/java/org/apache/fop/servlet/FopServlet.java
@@ -30,6 +30,7 @@ import javax.servlet.ServletException;
 import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import javax.xml.XMLConstants;
 import javax.xml.transform.Result;
 import javax.xml.transform.Source;
 import javax.xml.transform.Transformer;
@@ -96,6 +97,8 @@ public class FopServlet extends HttpServlet {
     public void init() throws ServletException {
         this.uriResolver = new ServletContextURIResolver(getServletContext());
         this.transFactory = TransformerFactory.newInstance();
+        transFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+        transFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
         this.transFactory.setURIResolver(this.uriResolver);
         //Configure FopFactory as desired
         // TODO: Double check this behaves properly!!
-- 
cgit v1.2.3