diff --git a/client/idrepo/console/src/main/java/org/apache/syncope/client/console/panels/ParametersModalPanel.java b/client/idrepo/console/src/main/java/org/apache/syncope/client/console/panels/ParametersModalPanel.java index 58725545f7..4d7caad4d3 100644 --- a/client/idrepo/console/src/main/java/org/apache/syncope/client/console/panels/ParametersModalPanel.java +++ b/client/idrepo/console/src/main/java/org/apache/syncope/client/console/panels/ParametersModalPanel.java @@ -27,6 +27,7 @@ import java.text.ParseException; import java.util.Base64; import java.util.Set; +import javax.xml.XMLConstants; import javax.xml.parsers.ParserConfigurationException; import javax.xml.parsers.SAXParserFactory; import org.apache.commons.lang3.time.DateFormatUtils; @@ -48,8 +49,6 @@ public class ParametersModalPanel extends AbstractModalPanel { protected static final JsonMapper JSON_MAPPER = JsonMapper.builder().findAndAddModules().build(); - protected static final SAXParserFactory SAX_PARSER_FACTORY = SAXParserFactory.newInstance(); - protected static boolean isDate(final String value) { try { DateFormatUtils.ISO_8601_EXTENDED_DATETIME_TIME_ZONE_FORMAT.parse(value); @@ -79,9 +78,12 @@ protected static boolean isJSON(final String value) { protected static boolean isXML(final String value) { try { - SAX_PARSER_FACTORY.newSAXParser().getXMLReader().parse(new InputSource(new StringReader(value))); + SAXParserFactory factory = SAXParserFactory.newInstance(); + factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE); + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + factory.newSAXParser().getXMLReader().parse(new InputSource(new StringReader(value))); return true; - } catch (IOException | ParserConfigurationException | SAXException xmle) { + } catch (IOException | ParserConfigurationException | SAXException e) { return false; } }