Merge pull request #1 from 0x7674/master

Removed external entity, doctype, etc support from policy file parsing.
nahsra · Dec 18, 2016 · 8bebe1e · 8bebe1e
2 parents f20fe7a + 979ef56
commit 8bebe1e
Showing 1 changed file with 20 additions and 0 deletions.
diff --git a/src/main/java/org/owasp/validator/html/Policy.java b/src/main/java/org/owasp/validator/html/Policy.java
@@ -80,6 +80,10 @@ public class Policy {
     public static final String PRESERVE_SPACE = "preserveSpace";
     public static final String PRESERVE_COMMENTS = "preserveComments";
     public static final String ENTITY_ENCODE_INTL_CHARS = "entityEncodeIntlChars";
+    public static final String EXTERNAL_GENERAL_ENTITIES = "http://xml.org/sax/features/external-general-entities";
+    public static final String EXTERNAL_PARAM_ENTITIES = "http://xml.org/sax/features/external-parameter-entities";
+    public static final String DISALLOW_DOCTYPE_DECL = "http://apache.org/xml/features/disallow-doctype-decl";
+    public static final String LOAD_EXTERNAL_DTD = "http://apache.org/xml/features/nonvalidating/load-external-dtd";
 
     public static final String ACTION_VALIDATE = "validate";
     public static final String ACTION_FILTER = "filter";
@@ -276,6 +280,14 @@ private static Element getTopLevelElement(InputStream is) throws PolicyException
     protected static Element getTopLevelElement(InputSource source) throws PolicyException {
         try {
             DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+
+            /**
+             * Disable external entities, etc.
+             */
+            dbf.setFeature(EXTERNAL_GENERAL_ENTITIES, false);
+            dbf.setFeature(EXTERNAL_PARAM_ENTITIES, false);
+            dbf.setFeature(DISALLOW_DOCTYPE_DECL, true);
+            dbf.setFeature(LOAD_EXTERNAL_DTD, false);
             DocumentBuilder db = dbf.newDocumentBuilder();
             Document dom = db.parse(source);
             return dom.getDocumentElement();
@@ -353,6 +365,14 @@ private static Element getPolicy(String href, URL baseUrl)
             }
 
             DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+
+            /**
+             * Disable external entities, etc.
+             */
+            dbf.setFeature(EXTERNAL_GENERAL_ENTITIES, false);
+            dbf.setFeature(EXTERNAL_PARAM_ENTITIES, false);
+            dbf.setFeature(DISALLOW_DOCTYPE_DECL, true);
+            dbf.setFeature(LOAD_EXTERNAL_DTD, false);
             DocumentBuilder db = dbf.newDocumentBuilder();
             Document dom;