(ofbiz-framework) 02/04: Improved: [codeQL] Resolving specific Java issues (OFBIZ-12925)

[jleroux]

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git

commit 0de51cc8ffb5d0475a8d90118a63371e28b7fee6
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Mon Mar 4 09:35:11 2024 +0100

    Improved: [codeQL]  Resolving specific Java issues (OFBIZ-12925)
    
    Puts more control, better be safe than sorry.
    
    This is related to OFBIZ-12304
---
 .../org/apache/ofbiz/webtools/WebToolsServices.java     | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git 
a/framework/webtools/src/main/java/org/apache/ofbiz/webtools/WebToolsServices.java
 
b/framework/webtools/src/main/java/org/apache/ofbiz/webtools/WebToolsServices.java
index dd99fd6b62..77c8425059 100644
--- 
a/framework/webtools/src/main/java/org/apache/ofbiz/webtools/WebToolsServices.java
+++ 
b/framework/webtools/src/main/java/org/apache/ofbiz/webtools/WebToolsServices.java
@@ -160,11 +160,24 @@ public class WebToolsServices {
                         UtilMisc.toMap("filename", fmfilename, "errorString", 
"Template file not found."), locale));
             }
             try {
-                DocumentBuilder documentBuilder = 
DocumentBuilderFactory.newInstance().newDocumentBuilder();
+                DocumentBuilderFactory factory = 
DocumentBuilderFactory.newInstance();
+                factory.setValidating(true);
+                factory.setNamespaceAware(true);
+
+                factory.setAttribute("http://xml.org/sax/features/validation";, 
true);
+                
factory.setAttribute("http://apache.org/xml/features/validation/schema";, true);
+
+                
factory.setFeature("http://xml.org/sax/features/external-general-entities";, 
false);
+                
factory.setFeature("http://xml.org/sax/features/external-parameter-entities";, 
false);
+                
factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd";,
 false);
+                factory.setXIncludeAware(false);
+                factory.setExpandEntityReferences(false);
+
+                DocumentBuilder builder = factory.newDocumentBuilder();
                 InputSource ins = url != null ? new 
InputSource(url.openStream()) : new InputSource(new StringReader(fulltext));
                 Document doc;
                 try {
-                    doc = documentBuilder.parse(ins);
+                    doc = builder.parse(ins);
                 } finally {
                     if (ins.getByteStream() != null) {
                         ins.getByteStream().close();