X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=restapi-call-node%2Fprovider%2Fsrc%2Fmain%2Fjava%2Forg%2Fonap%2Fccsdk%2Fsli%2Fplugins%2Frestapicall%2FXmlParser.java;fp=restapi-call-node%2Fprovider%2Fsrc%2Fmain%2Fjava%2Forg%2Fonap%2Fccsdk%2Fsli%2Fplugins%2Frestapicall%2FXmlParser.java;h=42e9e57ad9cdf66b7c18010233c09fd5e1b44f50;hb=43c9e83b3cc9b3dfaf55f08fc25813a77a4f2784;hp=cf6af66f2489ce1f07a461273e06275ba02fb35b;hpb=f396b85b5815ea0cdfeed96f999ed360e2a9ee9d;p=ccsdk%2Fsli%2Fplugins.git

diff --git a/restapi-call-node/provider/src/main/java/org/onap/ccsdk/sli/plugins/restapicall/XmlParser.java b/restapi-call-node/provider/src/main/java/org/onap/ccsdk/sli/plugins/restapicall/XmlParser.java
index cf6af66f..42e9e57a 100644
--- a/restapi-call-node/provider/src/main/java/org/onap/ccsdk/sli/plugins/restapicall/XmlParser.java
+++ b/restapi-call-node/provider/src/main/java/org/onap/ccsdk/sli/plugins/restapicall/XmlParser.java
@@ -35,6 +35,7 @@ import java.util.Set;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.parsers.SAXParser;
 import javax.xml.parsers.SAXParserFactory;
+import javax.xml.XMLConstants;
 
 import org.onap.ccsdk.sli.core.sli.SvcLogicException;
 import org.slf4j.Logger;
@@ -42,6 +43,7 @@ import org.slf4j.LoggerFactory;
 import org.xml.sax.Attributes;
 import org.xml.sax.SAXException;
 import org.xml.sax.helpers.DefaultHandler;
+import org.xml.sax.XMLReader;
 
 public final class XmlParser {
 
@@ -58,10 +60,15 @@ public final class XmlParser {
 
         Handler handler = new Handler(listNameList);
         try {
-            SAXParserFactory factory = SAXParserFactory.newInstance();
-            SAXParser saxParser = factory.newSAXParser();
+            SAXParserFactory spf = SAXParserFactory.newInstance();
+            spf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+            spf.setFeature("http://xml.org/sax/features/external-general-entities", false);
+            spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+            spf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);  
             InputStream in = new ByteArrayInputStream(s.getBytes());
+            SAXParser saxParser = spf.newSAXParser();
             saxParser.parse(in, handler);
+            
         } catch (ParserConfigurationException | IOException | SAXException | NumberFormatException e) {
             throw new SvcLogicException("Unable to convert XML to properties" + e.getLocalizedMessage(), e);
         }