I have an android app, in which user can enter any xml source url to parse. My app then parses the xml(if valid) and displays results.
我有一个Android应用程序,用户可以在其中输入任何xml源URL进行解析。我的应用程序然后解析xml(如果有效)并显示结果。
The issue is, if the user enters an untrusted xml source url, the app and/or the device might be effected.
问题是,如果用户输入不受信任的xml源URL,则应用程序和/或设备可能会受到影响。
What are the best ways to identify risk and prevent exploit.
识别风险和防止利用的最佳方法是什么?
With my research I found that enabling FEATURE_SECURE_PROCESSING and disabling expansion might help. But can anyone tell me what it is, and how do I achieve it.
通过我的研究,我发现启用FEATURE_SECURE_PROCESSING并禁用扩展可能会有所帮助。但任何人都可以告诉我它是什么,我如何实现它。
Thanks.
2 个解决方案
#1
4
After researching, I found this. I hope this would solve my problem.
经过研究,我发现了这一点。我希望这能解决我的问题。
To enable FEATURE_SECURE_PROCESSING
启用FEATURE_SECURE_PROCESSING
SAXParserFactory spf = SAXParserFactory.newInstance();
spf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
Disable DTDs
spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
#2
2
-
For SAX and DOM parsers, disallowing DTD should be sufficient as dcanh121 noted.
对于SAX和DOM解析器,dcanh121指出,禁用DTD就足够了。
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
-
For StAX parser:
对于StAX解析器:
factory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES, false);
#1
4
After researching, I found this. I hope this would solve my problem.
经过研究,我发现了这一点。我希望这能解决我的问题。
To enable FEATURE_SECURE_PROCESSING
启用FEATURE_SECURE_PROCESSING
SAXParserFactory spf = SAXParserFactory.newInstance();
spf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
Disable DTDs
spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
#2
2
-
For SAX and DOM parsers, disallowing DTD should be sufficient as dcanh121 noted.
对于SAX和DOM解析器,dcanh121指出,禁用DTD就足够了。
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
-
For StAX parser:
对于StAX解析器:
factory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES, false);