Merge pull request #448 from w3c/krr

ylafon · web-flow · commit 0cf8f6a3d122 · 2025-06-16T16:55:10.000+02:00
more restriction on entity expansion
diff --git a/org/w3c/css/css/XMLStyleSheetHandler.java b/org/w3c/css/css/XMLStyleSheetHandler.java
@@ -549,6 +549,9 @@ void parse(String urlString, URLConnection connection) throws Exception {
 
             xmlParser.setFeature("http://xml.org/sax/features/validation",
                     false);
+            xmlParser.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+            xmlParser.setFeature("http://xml.org/sax/features/external-general-entities", false);
+
             xmlParser.setErrorHandler(this);
             xmlParser.setEntityResolver(this);
         } catch (Exception ex) {
@@ -605,6 +608,8 @@ public void parse(InputSource source, String fileName) throws IOException, SAXEx
                     this);
             xmlParser.setFeature("http://xml.org/sax/features/namespace-prefixes", true);
             xmlParser.setFeature("http://xml.org/sax/features/validation", false);
+            xmlParser.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+            xmlParser.setFeature("http://xml.org/sax/features/external-general-entities", false);
         } catch (Exception ex) {
             ex.printStackTrace();
         }
