Class XmlFactories
Every method on this class returns a fresh, hardened factory instance. No caching or pooling is performed; callers on a hot path are responsible for their own caching.
Hardening guarantees
Every factory returned by this class makes the same three guarantees, regardless of which JAXP implementation is on the classpath:
- External DTDs are not fetched.
- External entities are not resolved.
- Internal entity expansion is bounded by the JDK's default limit, so DoS payloads such as Billion Laughs are rejected before they exhaust resources.
The guarantees hold whether or not the caller opts into DTD validation
(setValidating(true)) or attaches a compiled XSD via
setSchema: every external resource the validation would otherwise
fetch (the DTD itself, an xsi:schemaLocation hint, an external entity referenced from the DTD) remains blocked.
Each method on this class adds factory-specific guarantees on top of the three above, documented on the corresponding newXxxFactory() method.
Caller-supplied URIs
A top-level URI passed directly by the caller is fetched as-is: StreamSource(systemId), DocumentBuilder.parse(String), or a
SAXSource built from a system id all cause the JAXP implementation to open that URI without consulting the hardening layer. Use a
URIResolver or EntityResolver if you need to restrict the top-level fetch.
Thread safety
The returned factories inherit the thread-safety properties of the underlying JAXP implementation, which in practice means they are not guaranteed to be thread-safe. Create a new factory per thread or synchronise externally.
This class itself is thread-safe: all methods are static and stateless.
-
Method Summary
Modifier and TypeMethodDescriptionstatic SourceRewrites aSourceso that any SAX parsing it triggers runs through anXmlFactories-hardenedXMLReader.static XMLReaderHardens an existingXMLReader.static DocumentBuilderFactoryReturns a fresh, hardenedDocumentBuilderFactory.static SAXParserFactoryReturns a fresh, hardenedSAXParserFactory.static SchemaFactoryReturns a fresh, hardenedSchemaFactoryconfigured for W3C XML Schema (XMLConstants.W3C_XML_SCHEMA_NS_URI).static TransformerFactoryReturns a fresh, hardenedTransformerFactory.static XMLInputFactoryReturns a fresh, hardenedXMLInputFactory.static XPathFactoryReturns a fresh, hardenedXPathFactoryfor the default XPath object model.
-
Method Details
-
harden
Rewrites aSourceso that any SAX parsing it triggers runs through anXmlFactories-hardenedXMLReader.Only
StreamSourceandSAXSourcewithout a reader are enriched with a hardened reader. Other kinds of sources are returned as-is.- Parameters:
source- the source to harden; nevernull.- Returns:
- a hardened source.
- Throws:
TransformerConfigurationException- if a hardened reader cannot be obtained.
-
harden
Hardens an existingXMLReader.- Parameters:
reader- the reader to harden; nevernull.- Returns:
- a hardened reader.
- Throws:
IllegalStateException- if the reader's concrete class is not recognized by any bundled hardening recipe, or if the matching recipe cannot apply its settings to it.
-
newDocumentBuilderFactory
Returns a fresh, hardenedDocumentBuilderFactory.Enabling XInclude:
setXIncludeAware(true)on its own does not make XInclude usable, because an included resource is fetched like any other external resource and is therefore blocked, failing the parse. A caller that genuinely wants XInclude must, in addition to enabling awareness, install a customEntityResolverthat permits those specific lookups.- Returns:
- a hardened factory.
- Throws:
IllegalStateException- if a required hardening setting cannot be applied to the underlying implementation.
-
newSAXParserFactory
Returns a fresh, hardenedSAXParserFactory.Beyond the three universal guarantees on
XmlFactories, XInclude resolution is disabled. CallingsetXIncludeAware(true)on the returned factory does not re-enable resolution; a parse that encounters anxi:includeelement fails.- Returns:
- a hardened factory.
- Throws:
IllegalStateException- if the underlying JAXP implementation is not recognized by any bundled hardening recipe, or if the matching recipe cannot apply its settings to it.
-
newSchemaFactory
Returns a fresh, hardenedSchemaFactoryconfigured for W3C XML Schema (XMLConstants.W3C_XML_SCHEMA_NS_URI).Beyond the three universal guarantees on
XmlFactories:xs:import,xs:includeandxs:redefineschemaLocation URIs are not resolved during schema compilation, andxsi:schemaLocation/xsi:noNamespaceSchemaLocationhints in instance documents are not resolved during validation.
The same guarantees apply to
ValidatorandValidatorHandlerinstances produced from the resultingSchema.- Returns:
- a hardened factory.
- Throws:
IllegalStateException- if the underlying Schema implementation is not recognized by any bundled hardening recipe, or if the matching recipe cannot apply its settings to it.
-
newTransformerFactory
Returns a fresh, hardenedTransformerFactory.Beyond the three universal guarantees on
XmlFactories:xsl:import,xsl:includeanddocument()URIs are not resolved.The guarantees apply to every parser the factory creates internally, both for stylesheet compilation and for source-document reading at
Transformer.transform(Source, Result)time.- Returns:
- a hardened factory.
- Throws:
IllegalStateException- if the underlying TrAX implementation is not recognized by any bundled hardening recipe, or if the matching recipe cannot apply its settings to it.
-
newXMLInputFactory
Returns a fresh, hardenedXMLInputFactory.The three universal guarantees on
XmlFactoriesapply; StAX exposes no additional vectors beyond them.- Returns:
- a hardened factory.
- Throws:
IllegalStateException- if the underlying StAX implementation is not recognized by any bundled hardening recipe, or if the matching recipe cannot apply its settings to it.
-
newXPathFactory
Returns a fresh, hardenedXPathFactoryfor the default XPath object model.Beyond the three universal guarantees on
XmlFactories, URI-fetching XPath 3.1+ functions (doc(),collection(),unparsed-text()) are not resolved.- Returns:
- a hardened factory.
- Throws:
IllegalStateException- if the underlying XPath implementation is not recognized by any bundled hardening recipe, or if the matching recipe cannot apply its settings to it.
-