Java EE (Java Enterprise Edition) General Discussion

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

DTD Entity references in XML with SAX

843834May 4 2009 — edited May 5 2009

Hi!

I want to count that how many *&reference_name;* type ENTITIES can be found in my DTD using SAX parser (it can be a DoS attack).
Here's an example XML String:

String extEnts = "<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?>"
	+ "<!DOCTYPE root [" + "<!ENTITY ha \"Ha !\"> "
	+ "<!ENTITY ha2 \"&ha; &ha;\"> "
	+ "<!ENTITY ha3 \"&ha2; &ha2;\"> "
	+ "<!ENTITY ha4 \"&ha3; &ha3;\"> "
	+ "<!ENTITY ha5 \"&ha4; &ha4;\"> "
	+ "<!ENTITY ha6 \"&ha5; &ha5;\"> "
	+ "]> "
	+ "<root><wtf>&ha6;</wtf></root> ";

I've tried to override the

notationDecl(String name, String publicId, String systemId)
unparsedEntityDecl(String name, String publicId, String systemId, String notationName)
skippedEntity(String name)
resolveEntity(String publicId, String systemId)

methods in the DefaultHandler, but while parsing the XML, it never steps any of them. I've also tried

parser.setFeature("http://xml.org/sax/features/validation", true)

and

parser.setFeature("http://xml.org/sax/features/validation", false)

too.

Could someone help me pls?
Kumite

Locked Post

New comments cannot be posted to this locked post.

Locked on Jun 2 2009

Added on May 4 2009

#java-technology-xml

3 comments

127 views