I'm looking for informations and a solution regarding an issue that I have with my implementation of SAXParser to perform XSL Transformation.
In order to improve the quality of our project, the sonarqube sensitivity has been rised. Then a new error appearred for my implementation.
Sonarqube is asking me to set properties to empty value in order to exclude the possibilities of an attack based on those values.
Problem, if I can set the property for ACCESS_EXTERNAL_DTD and ACCESS_EXTERNAL_SCHEMA to empty correctly, the property ACCESS_EXTERNAL_STYLESHEET seems to not be a valid property for SAXParser. And without it set correctly, sonarqube doesn't remove the blocker error as it seems mandatory for XSL Transformation.
SAXParser saxParser = saxParserFactory.newSAXParser();
saxParser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, ""); // Work
saxParser.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); // Work
saxParser.setProperty(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); // Doesn't work and throw org.xml.sax.SAXNotRecognizedException
What should I do ?
I'm under Saxon-HE:9.8.0-8
Thank you in advance
Related
I am upgrading my code jdom to jdom2.0.5. My previous code was,
JDOM 1.0
XMLOutputter outputter = new XMLOutputter(" ", true);
outputter.setIndent(true);
Now I am using Format class like the following,
JDOM 2.0.5
Format format = Format.getRawFormat();
format.setIndent(" ");
format.setTextMode(Format.TextMode.TRIM);
XMLOutputter outputter = new XMLOutputter(format);
or I can use Format.getPrettyFormat().
If I removed the "format.setTextMode(Format.TextMode.TRIM)" line from my new code it not compatible with the old behavior. If I use TRIM then it gives output like my old behavior. But I didn't use TRIM part in my previous code.
My previous code and If I included TRIM in my new code, it gives output like the following,
<Config>
<Description>Basic 01</Description>
<CartViews>BasicAndDetailed</CartViews>
<CartView>Basic</CartView>
<DetailsInReview>true</DetailsInReview>
<HeaderInReview>true</HeaderInReview>
<AddressVisibility>Hide</AddressVisibility>
<Visibility>Hide</Visibility>
</Config>
If I removed the TRIM part in my new code it gives the output like the following,
<Config>
<Description>
Basic 01
</Description><CartViews>
BasicAndDetailed
</CartViews><CartView>
Basic
</CartView><DetailsInReview>
true
</DetailsInReview><HeaderInReview>
true
</HeaderInReview><AddressVisibility>
Hide
</AddressVisibility><Visibility>
Hide
</Visibility>
</Config>
Which noted as wrong behavior.
I couldn't find the reason why TRIM is needed.
Can you please help me for this?
This is the second time I have heard (I maintain JDOM) of someone using Format this way... and getting differences between JDOM 1.x and 2.x.
BUT: You were not using JDOM 1.x in a way that is familiar.... the constructor new XMLOutputter(" ", true); does not exist.... where did you get that from?
Anyway, the TextMode.RAW mechanism (the default) has a very different output process than the other TextMode options. The reality is that there is a potential bug with TextMode.RAW which should always ignore the setIndent() value because indents should always be ignored.
So, I believe Format.getPrettyFormat() is what you want, so you should just use it.
If you want to discuss this more feel free to mail the jdom-interest mailing list and we can correspond directly.
The xml file is :
<xml-fragment xmlns:xyz="http://someurl">
<xyz:xyzcontent>
<contentattribute>
<key>tags</key>
<value>tag1, tag2</value>
</contentattribute>
</xyz:xyzcontent>
...
I've tried the following:
XPathExpression createdDateExpression = xpath.compile("/contentattribute/key/attribute::tags/value");
There are several problems with your query.
The XML is broken (root tag not closed) -- probably just a copy/paste mistake
You're starting somewhere right in the middle of the XML tree, but actually try to query from the root node. Use the descendant-or-self-axis // in the beginning.
Which attribute are you querying using the attribute-axis? There is none.
Where did you register the namespaces? What namespace is xyz, anyway? I guess it's actually vp, but you obfuscated incompletely (or are not giving all relevant parts of the document).
Use predicates and string comparison to filter at axis steps.
Try following:
Make sure to register the namespace, have a look at the reference for that (or give more information).
Use the XPath query //contentattribute[key='tags']/value
I have an android app, in which user can enter any xml source url to parse. My app then parses the xml(if valid) and displays results.
The issue is, if the user enters an untrusted xml source url, the app and/or the device might be effected.
What are the best ways to identify risk and prevent exploit.
With my research I found that enabling FEATURE_SECURE_PROCESSING and disabling expansion might help. But can anyone tell me what it is, and how do I achieve it.
Thanks.
After researching, I found this. I hope this would solve my problem.
To enable FEATURE_SECURE_PROCESSING
SAXParserFactory spf = SAXParserFactory.newInstance();
spf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
Disable DTDs
spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
For SAX and DOM parsers, disallowing DTD should be sufficient as dcanh121 noted.
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
For StAX parser:
factory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES, false);
I have some Java code that validates XML against an XSD. I am using a modified version of the Error Handler found here: http://www.ibm.com/developerworks/xml/library/x-javaxmlvalidapi.html to catch and log ALL exceptions while validating.
The errors are very terse, they look something like this:
http://www.w3.org/TR/xml-schema-1#cvc-complex-type.2.4.a?s:cID&{"http://www.myschema.com/schema":txn}
Other messages such as
http://www.w3.org/TR/xml-schema-1#cvc-complex-type.2.4.a?s:attributes&{"http://www.myschema.com/schema":sequence}
are even more cryptic.
Is there an easy way to get a clear and intelligible message out of SAX explaining what went wrong here? I think in the first error it was expecting txn and instead found the element cID. BUT... I don't know all the possible errors that might be generated by SAX so I'd rather not try to manually create a translation table.
The eventual users of this output are mostly non-technical so I need to be able generate simple and clear messages such as "element txn was out of sequence".
If it helps, here's the code (more or less) that's used for validation:
Source schema1 = new StreamSource(new File("resources/schema1.xsd"));
Source schema2 = new StreamSource(new File("resources/schema2.xsd"));
Source[] sources = {schema1,schema2};
validator = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI).newSchema(sources).newValidator();
ErrorHandler lenient = new ForgivingErrorHandler();
validator.setErrorHandler(lenient);
Elsewhere...
StreamSource xmlSource = new StreamSource(new StringReader(XMLData) );
try
{
validator.validate(xmlSource);
}
catch (SAXException e)
{
logger.error("XML Validation Error: ",e);
}
Well, it seems I had to add xsi:schemaLocation="http://www.mycompany.com/schema resources/schema1.xsd " to the XML document, because s:http://www.mycompany.com/schema is the default namespace: xmlns="s:http://www.mycompany.com/schema". Of course, I don't have access to modify the tool that generates the XML, so the following ugly hack was necessary:
xmlDataStr = xmlDataStr.replace("<rootNode ", "<rootNode xsi:schemaLocation=\"http://www.mycompany.com/schema resources/schema1.xsd \" ");
...of course now I'm getting double validation errors! A clear and intelligible one such as:
cvc-complex-type.2.4.a: Invalid content was found starting with element 's:cID'. One of '{"http://www.mycompany.ca/schema":tdr}' is expected.
Immediately followed by:
http://www.w3.org/TR/xml-schema-1#cvc-complex-type.2.4.a?s:cID&{"http://www.mycompany.com/schema":tdr}
The double-error is annoying but at least the first one is usable...
I was just wondering if someone could give my XML validation code a once over to see if I'm doing it right. Here's the portion of code that is giving me the trouble...
SAXParserFactory factory = SAXParserFactory.newInstance();
SchemaFactory schemaFactory = SchemaFactory
.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
// *** CODE FAILS ON THE BELOW LINE **/
factory.setSchema(schemaFactory
.newSchema(new Source[] { new StreamSource(schemaStream) }));
SAXParser parser = factory.newSAXParser();
SAXReader reader = new SAXReader(parser.getXMLReader());
reader.setValidation(false);
reader.setErrorHandler(new ResultProducingErrorHandler());
reader.read(content);
Whenever I run the above code, I get an error along the lines of:
src-resolve: Cannot resolve the name 'ns:myStructure' to a(n) 'type definition' component.
The elements mentioned in the error messages are all ones that are imported into the schema via calls to <xs:import />. The schema seems to validate OK via the W3C XML Schema Validator.
Do I have to include each of these schema's individually or is Java smart enough to go off and fetch these extra schema's too? I tried adding them in the array passed to the newSchema call but that didn't make any difference.
I don't think I can give out the link to the schema, so I'm really just looking for a yes or no regarding if my code looks at least acceptable.
Ensure that the xs:import statements point to paths that are reachable from the current directory of your application. The current directory may not be what you think it is.