热门标签
热门文章
- 1Web 开发 6:Redis 缓存(Flask项目使用Redis并同时部署到Docker详细流程 附项目源码)_flask redis
- 2【spark源码系列】DataType原理方法示例源码详解_spark datetype
- 3chatgpt赋能python:Python编写输入法及其优势_用python写一个拼音输入法
- 4织梦联系我们单页面制作(包含地图)_html联系我们页面代码
- 52017百度AI开发者大会 一场5000名开发者的分享盛宴
- 6完美解决java.lang.ClassCastException: class java.lang.Integer cannot be cast to class java.lang.Long_java.lang.classcastexception: java.lang.integer ca
- 7Unity 3D 面试 数据结构与算法简述_unity数据结构和算法
- 8基于强化学习的空战辅助决策(2D)_afsim开源代码
- 9python:整数的最大值和最小值_python最大值与最小值
- 10Verilog 过程赋值 区别 详解_verilog 过程赋值语句是并行执行的吗
当前位置: article > 正文
防止 XML外部实体注入
作者:菜鸟追梦旅行 | 2024-05-23 12:03:21
赞
踩
http请求防xml注入
方式一
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
// 这是优先选择. 如果不允许DTDs (doctypes) ,几乎可以阻止所有的XML实体攻击
String FEATURE = "http://apache.org/xml/features/disallow-doctype-decl";
dbf.setFeature(FEATURE, true);
FEATURE = "http://xml.org/sax/features/external-general-entities";
dbf.setFeature(FEATURE, false);
FEATURE = "http://xml.org/sax/features/external-parameter-entities";
dbf.setFeature(FEATURE, false);
FEATURE = "http://apache.org/xml/features/nonvalidating/load-external-dtd";
dbf.setFeature(FEATURE, false);
dbf.setXIncludeAware(false);
dbf.setExpandEntityReferences(false);
org.w3c.dom.Document documentW3c = dbf.newDocumentBuilder().parse(tempFile);
方式二
JAXBContext context = JAXBContext.newInstance(klass);
XMLInputFactory xif = XMLInputFactory.newFactory();
xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
xif.setProperty(XMLInputFactory.SUPPORT_DTD, true);
XMLStreamReader xsr = xif.createXMLStreamReader(new StringReader(xml));
Unmarshaller unmarshaller = context.createUnmarshaller();
return unmarshaller.unmarshal(xsr);
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
// 这是优先选择. 如果不允许DTDs (doctypes) ,几乎可以阻止所有的XML实体攻击
String FEATURE = "http://apache.org/xml/features/disallow-doctype-decl";
dbf.setFeature(FEATURE, true);
FEATURE = "http://xml.org/sax/features/external-general-entities";
dbf.setFeature(FEATURE, false);
FEATURE = "http://xml.org/sax/features/external-parameter-entities";
dbf.setFeature(FEATURE, false);
FEATURE = "http://apache.org/xml/features/nonvalidating/load-external-dtd";
dbf.setFeature(FEATURE, false);
dbf.setXIncludeAware(false);
dbf.setExpandEntityReferences(false);
org.w3c.dom.Document documentW3c = dbf.newDocumentBuilder().parse(tempFile);
方式二
JAXBContext context = JAXBContext.newInstance(klass);
XMLInputFactory xif = XMLInputFactory.newFactory();
xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
xif.setProperty(XMLInputFactory.SUPPORT_DTD, true);
XMLStreamReader xsr = xif.createXMLStreamReader(new StringReader(xml));
Unmarshaller unmarshaller = context.createUnmarshaller();
return unmarshaller.unmarshal(xsr);
声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/菜鸟追梦旅行/article/detail/612752
推荐阅读
相关标签
