javaxml实体注入_防止XML外部实体注入

方式一

DocumentBuilderFactory dbf &＃61; DocumentBuilderFactory.newInstance();

// 这是优先选择. 如果不允许DTDs (doctypes) ,几乎可以阻止所有的XML实体攻击

String FEATURE &＃61; "http://apache.org/xml/features/disallow-doctype-decl";

dbf.setFeature(FEATURE, true);

FEATURE &＃61; "http://xml.org/sax/features/external-general-entities";

dbf.setFeature(FEATURE, false);

FEATURE &＃61; "http://xml.org/sax/features/external-parameter-entities";

dbf.setFeature(FEATURE, false);

FEATURE &＃61; "http://apache.org/xml/features/nonvalidating/load-external-dtd";

dbf.setFeature(FEATURE, false);

dbf.setXIncludeAware(false);

dbf.setExpandEntityReferences(false);

org.w3c.dom.Document documentW3c &＃61; dbf.newDocumentBuilder().parse(tempFile);

方式二

JAXBContext context &＃61; JAXBContext.newInstance(klass);

XMLInputFactory xif &＃61; XMLInputFactory.newFactory();

xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);

xif.setProperty(XMLInputFactory.SUPPORT_DTD, true);

XMLStreamReader xsr &＃61; xif.createXMLStreamReader(new StringReader(xml));

Unmarshaller unmarshaller &＃61; context.createUnmarshaller();

return unmarshaller.unmarshal(xsr);