当我使用强化工具进行扫描时,我在“XML 外部实体注入”下遇到了一些问题。
TransformerFactory trfactory = TransformerFactory.newInstance();
这是它显示错误的地方。我已经按照 fortify 的建议进行了以下修复
trfactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
trfactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
但问题仍然没有解决。如何解决这个问题?
TransformerFactory trfactory = TransformerFactory.newInstance();
trfactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
trfactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
trfactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
这就足够了。
如果 java 版本不兼容,有时它将无法工作。
if (javaVersion > 1.6) {
dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
}
else {
if (javaVersion > 1.5) {
dbf.setFeature("http://xerces.apache.org/xerces2-j/features.html#external-general-entities", false);
dbf.setFeature("http://xerces.apache.org/xerces2-j/features.html#external-parameter-entities", false);
}
else {
dbf.setFeature("http://xerces.apache.org/xerces-j/features.html#external-general-entities", false);
dbf.setFeature("http://xerces.apache.org/xerces-j/features.html#external-parameter-entities", false);
}
}
它对我有用:-)
你也可以试试:
TransformerFactoryImpl transformerFactoryImpl = new TransformerFactoryImpl();
Transformer transformer = transformerFactoryImpl.newTransformer();
transformer.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
我尝试使用“Xalan”实现类而不是 TransformerFactory.newInstance()。它对我有用并且强化问题得到了修复
TransformerFactoryImpl transformerFactoryImpl = new TransformerFactoryImpl();
Transformer transformer = transformerFactoryImpl.newTransformer();
添加这一行。它对我有用。
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);