Disallow Doctype on parsed XML files in ZK to increase security

XMLWordPrintable

    • Type: New Feature
    • Resolution: Fixed
    • Priority: Normal
    • 10.0.0
    • Affects Version/s: 9.6.4
    • Component/s: None
    • Security Level: Jimmy
    • None
    • None

      Steps to Reproduce

      Add DOCTYPE xml declaration to zk.xml should cause the SAX parser to refuse to parse the file

      <!DOCTYPE xml>

      Current Result

      No restriction

      Expected Result

      on-purpose restriction cause parsing exception

      org.xml.sax.SAXParseException: DOCTYPE is disallowed when the feature http://apache.org/xml/features/disallow-doctype-decl set to true.

      Debug Information

      Caused by setting which explicitly disallow DOCTYPE in parsed files
      https://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl
      https://github.com/zkoss/zk/commit/8a94e3e730d1486348115e87892d26ec560f9d25

      Workaround for existing files

      remove DOCTYPE declaration from xml files

            Assignee:
            Unassigned
            Reporter:
            MDuchemin
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: