css4j / echosvg

SVG implementation in the Java™ Language, fork of Apache Batik, supporting level 4 selectors and colors.
Apache License 2.0
40 stars 2 forks source link

DocumentFactory constructors with String argument are not practical and use a deprecated method #24

Closed carlosame closed 3 years ago

carlosame commented 3 years ago

EchoSVG has some *DocumentFactory constructors with String argument, to specify the XML parser class as a string. To secure those parser (actually XMLReader) instances against XXE and SSRF attacks, the http://apache.org/xml/features/nonvalidating/load-external-dtd feature (as well as others) is disabled.

However, that feature only applies to Xerces-J and the Xerces-based parser that is bundled with the OpenJDK, so if another parser is being used it will not work. Even when using only the supported parsers this also limits their configurability, and one consequence is that XML entities are always going to be lost because no possibility is given to configure the XMLReader.

Moreover, the instantiation of the parser uses a deprecated method.

Solution: modify the constructors to use a XMLReader as argument instead of a String, and configure the parsers in a way that they can handle XML entities and are still secure.