Secure XML parser some more

NotEnoughUpdates · Jan 11, 2024 · e50f396 · e50f396
1 parent 1e23313
commit e50f396
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/common/src/main/java/io/github/moulberry/moulconfig/xml/XMLUniverse.java b/common/src/main/java/io/github/moulberry/moulconfig/xml/XMLUniverse.java
@@ -10,6 +10,7 @@
 import org.jetbrains.annotations.NotNull;
 import org.w3c.dom.Element;
 
+import javax.xml.XMLConstants;
 import javax.xml.namespace.QName;
 import javax.xml.parsers.DocumentBuilderFactory;
 import java.io.InputStream;
@@ -105,6 +106,8 @@ public XMLBoundProperties getPropertyFinder(Class<?> clazz) {
     public GuiComponent load(Object bindTo, InputStream stream) {
         var factory = DocumentBuilderFactory.newInstance();
         factory.setNamespaceAware(true);
+        factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+        factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
         var builder = factory.newDocumentBuilder();
         var document = builder.parse(stream);
         Element documentElement = document.getDocumentElement();