Add StaxHelper to ensure that StAX parsers have sensible defaults, including settings to avoid XML Entity Expansion issues

git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1799734 13f79535-47bb-0310-9956-ffa450edef68
2017-06-24 07:30:07 +00:00 · 2017-06-24 07:30:07 +00:00 · 61b0ecbd4b
commit 61b0ecbd4b
parent 972d561897
4 changed files with 60 additions and 4 deletions
--- a/src/java/org/apache/poi/sl/draw/DrawSimpleShape.java
+++ b/src/java/org/apache/poi/sl/draw/DrawSimpleShape.java
@ -53,6 +53,7 @@ import org.apache.poi.sl.usermodel.PaintStyle.SolidPaint;
 import org.apache.poi.sl.usermodel.Shadow;
 import org.apache.poi.sl.usermodel.SimpleShape;
 import org.apache.poi.util.IOUtils;
+import org.apache.poi.util.StaxHelper;
 import org.apache.poi.util.Units;


@ -363,7 +364,7 @@ public class DrawSimpleShape extends DrawShape {
            };

            try {
-                XMLInputFactory staxFactory = XMLInputFactory.newInstance();
+                XMLInputFactory staxFactory = StaxHelper.newXMLInputFactory();
                XMLEventReader staxReader = staxFactory.createXMLEventReader(presetIS);
                XMLEventReader staxFiltRd = staxFactory.createFilteredReader(staxReader, startElementFilter);
                // Ignore StartElement:
--- a/src/java/org/apache/poi/sl/draw/geom/PresetGeometries.java
+++ b/src/java/org/apache/poi/sl/draw/geom/PresetGeometries.java
@ -37,6 +37,7 @@ import javax.xml.stream.events.XMLEvent;
 import org.apache.poi.sl.draw.binding.CTCustomGeometry2D;
 import org.apache.poi.util.POILogFactory;
 import org.apache.poi.util.POILogger;
+import org.apache.poi.util.StaxHelper;

 /**
 * 
@ -59,7 +60,7 @@ public class PresetGeometries extends LinkedHashMap<String, CustomGeometry> {
            }
        };
        
-        XMLInputFactory staxFactory = XMLInputFactory.newFactory();
+        XMLInputFactory staxFactory = StaxHelper.newXMLInputFactory();
        XMLEventReader staxReader = staxFactory.createXMLEventReader(is);
        XMLEventReader staxFiltRd = staxFactory.createFilteredReader(staxReader, startElementFilter);
        // ignore StartElement:
--- a/src/java/org/apache/poi/util/StaxHelper.java
+++ b/src/java/org/apache/poi/util/StaxHelper.java
@ -0,0 +1,52 @@
+/* ====================================================================
+   Licensed to the Apache Software Foundation (ASF) under one or more
+   contributor license agreements.  See the NOTICE file distributed with
+   this work for additional information regarding copyright ownership.
+   The ASF licenses this file to You under the Apache License, Version 2.0
+   (the "License"); you may not use this file except in compliance with
+   the License.  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+==================================================================== */
+
+package org.apache.poi.util;
+
+import javax.xml.stream.XMLInputFactory;
+
+
+/**
+ * Provides handy methods for working with StAX parsers and readers
+ */
+public final class StaxHelper {
+    private static final POILogger logger = POILogFactory.getLogger(StaxHelper.class);
+
+    private StaxHelper() {}
+
+    /**
+     * Creates a new StAX XMLInputFactory, with sensible defaults
+     */
+    public static XMLInputFactory newXMLInputFactory() {
+        XMLInputFactory factory = XMLInputFactory.newFactory();
+        trySetProperty(factory, XMLInputFactory.IS_NAMESPACE_AWARE, true);
+        trySetProperty(factory, XMLInputFactory.IS_VALIDATING, false);
+        trySetProperty(factory, XMLInputFactory.SUPPORT_DTD, false);
+        trySetProperty(factory, XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
+        return factory;
+    }
+            
+    private static void trySetProperty(XMLInputFactory factory, String feature, boolean flag) {
+        try {
+            factory.setProperty(feature, flag);
+        } catch (Exception e) {
+            logger.log(POILogger.WARN, "StAX Property unsupported", feature, e);
+        } catch (AbstractMethodError ame) {
+            logger.log(POILogger.WARN, "Cannot set StAX property because outdated StAX parser in classpath", feature, ame);
+        }
+    }
+}
--- a/src/ooxml/java/org/apache/poi/xssf/usermodel/XSSFTableStyle.java
+++ b/src/ooxml/java/org/apache/poi/xssf/usermodel/XSSFTableStyle.java
@ -25,6 +25,8 @@ import java.util.Map;
 import org.apache.poi.ss.usermodel.DifferentialStyleProvider;
 import org.apache.poi.ss.usermodel.TableStyle;
 import org.apache.poi.ss.usermodel.TableStyleType;
+import org.apache.poi.util.POILogFactory;
+import org.apache.poi.util.POILogger;
 import org.apache.xmlbeans.XmlCursor;
 import org.apache.xmlbeans.XmlException;
 import org.apache.xmlbeans.XmlObject;
@ -39,6 +41,7 @@ import org.openxmlformats.schemas.spreadsheetml.x2006.main.CTTableStyleElement;
 * Also used for built-in styles via dummy XML generated from presetTableStyles.xml.
 */
 public class XSSFTableStyle implements TableStyle {
+    private static final POILogger logger = POILogFactory.getLogger(XSSFTableStyle.class);

    private final String name;
    private final int index;
@ -76,8 +79,7 @@ public class XSSFTableStyle implements TableStyle {
                    }
                    if (dxf != null) dxfList.add(dxf);
                } catch (XmlException e) {
-                    // ignore
-                    e.printStackTrace();
+                    logger.log(POILogger.WARN, "Error parsing XSSFTableStyle", e);
                }
            }
        }