问题
I need to fix XXE issue .I am using transformerfactory in code. Found below fix but i can not see ACCESS_EXTERNAL_DTD attribute in my code.Reason which i got is below code will work for Java7 however i am using Java 6 .Can some one please suggest some other fix To protect a Java TransformerFactory from XXE, do this:
TransformerFactory tf = TransformerFactory.newInstance();
tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
回答1:
I was in to same situation and it is difficult to resolve without updating Java version.
Following is code change that was able to pass fortify scan with same results.
Instead of using TransformerFactory use following code:
DOMImplementationLS domImplementation = (DOMImplementationLS) doc.getImplementation();
LSSerializer lsSerializer = domImplementation.createLSSerializer();
LSOutput lsOutput = domImplementation.createLSOutput( );
lsOutput.setEncoding("UTF-8");
StringWriter stringWriter=new StringWriter();
lsOutput.setCharacterStream(stringWriter);
lsSerializer.write(doc,lsOutput);
return stringWriter.toString();
For reference please review Is there a more elegant way to convert an XML Document to a String in Java than this code?.
And
来源:https://stackoverflow.com/questions/35479324/prevent-xxe-fortify-issue-for-trasnformerfactory