#903 disable DOCTYPE to fix XXE Vulnerability

2025-11-09 17:39:12 +08:00 · 2019-01-10 18:28:55 +08:00
parent d6923f2537
commit 8ec61d1328
4 changed files with 8 additions and 1 deletions
--- a/weixin-java-common/src/main/java/me/chanjar/weixin/common/util/crypto/WxCryptUtil.java
+++ b/weixin-java-common/src/main/java/me/chanjar/weixin/common/util/crypto/WxCryptUtil.java
@ -39,6 +39,7 @@ public class WxCryptUtil {
      try {
        final DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
        factory.setExpandEntityReferences(false);
+        factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
        return factory.newDocumentBuilder();
      } catch (ParserConfigurationException exc) {
        throw new IllegalArgumentException(exc);