Java 配置的XML解析器不会阻止或限制外部实体解析
尽管我将代码更改为我在web上找到的代码,但每次我都会再次遇到此错误,如下所示:Java 配置的XML解析器不会阻止或限制外部实体解析,java,xml,error-handling,fortify,Java,Xml,Error Handling,Fortify,尽管我将代码更改为我在web上找到的代码,但每次我都会再次遇到此错误,如下所示: private Document convertInputToDocument(InputStream xml) { try { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); factory.setFeature(XMLConstants.FEATURE_SECURE_PROCES
private Document convertInputToDocument(InputStream xml) {
try {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
factory.setIgnoringElementContentWhitespace(true);
DocumentBuilder builder = factory.newDocumentBuilder();
return builder.parse(xml);
} catch (Exception e) {
e.printStackTrace();
return null;
}
}
这背后的原因是/是fortify scan没有编译所使用的包,因此看不到我们提供了足够的安全性