Apache Commons XMLSandbox component. Apache Commons XML is part of the Apache Commons Sandbox. It is a work in progress, has not been formally released, and its API, coordinates, and behaviour may change without notice. Do not rely on it in production. Apache Commons XML provides secure-by-default JAXP factory creation, abstracting over implementation-specific XXE hardening differences between the stock JDK and external JAXP implementations. WhyAny Java library that parses XML has to harden JAXP before handing a factory to user code, and every library ends up copy-pasting the same hardening snippet. The snippet is fragile: the attributes and features needed to harden a factory are not standardised, each JAXP implementation exposes a slightly different set, and setting an unknown one throws an exception that callers routinely swallow. Writing this block correctly for every implementation is real work, and duplicating it across projects means every project owns the maintenance burden on its own. Defaults are also uneven. The stock JDK SAX and DOM parsers already prevent external entity resolution through This library provides that baseline. Each UsageAdd the library to your build:
Every method on Supported implementationsOut of the box the library recognises the stock JDK JAXP implementations, Apache Xerces 2.x, Woodstox, and Saxon-HE. If a factory resolves to an implementation not covered by any bundled hardening recipe, every DOM parsing via
SAX parsing via
Streaming (StAX) parsing via
XSLT transforms via
XPath queries via
W3C XML Schema validation via Stylesheets and schemasThe hardening applies to documents parsed through the returned factory. Stylesheets given to Caching and thread-safetyThere is no caching or pooling inside |