Add StaxHelper to ensure that StAX parsers have sensible defaults, including settings to avoid XML Entity Expansion issues

git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1799734 13f79535-47bb-0310-9956-ffa450edef68

src/java/org/apache/poi/sl/draw/DrawSimpleShape.java

@@ -53,6 +53,7 @@ import org.apache.poi.sl.usermodel.PaintStyle.SolidPaint;
 import org.apache.poi.sl.usermodel.Shadow;
 import org.apache.poi.sl.usermodel.SimpleShape;
 import org.apache.poi.util.IOUtils;
+import org.apache.poi.util.StaxHelper;
 import org.apache.poi.util.Units;
 
 
@@ -363,7 +364,7 @@ public class DrawSimpleShape extends DrawShape {
             };
 
             try {
-                XMLInputFactory staxFactory = XMLInputFactory.newInstance();
+                XMLInputFactory staxFactory = StaxHelper.newXMLInputFactory();
                 XMLEventReader staxReader = staxFactory.createXMLEventReader(presetIS);
                 XMLEventReader staxFiltRd = staxFactory.createFilteredReader(staxReader, startElementFilter);
                 // Ignore StartElement:

src/java/org/apache/poi/sl/draw/geom/PresetGeometries.java

@@ -37,6 +37,7 @@ import javax.xml.stream.events.XMLEvent;
 import org.apache.poi.sl.draw.binding.CTCustomGeometry2D;
 import org.apache.poi.util.POILogFactory;
 import org.apache.poi.util.POILogger;
+import org.apache.poi.util.StaxHelper;
 
 /**
  * 
@@ -59,7 +60,7 @@ public class PresetGeometries extends LinkedHashMap<String, CustomGeometry> {
             }
         };
         
-        XMLInputFactory staxFactory = XMLInputFactory.newFactory();
+        XMLInputFactory staxFactory = StaxHelper.newXMLInputFactory();
         XMLEventReader staxReader = staxFactory.createXMLEventReader(is);
         XMLEventReader staxFiltRd = staxFactory.createFilteredReader(staxReader, startElementFilter);
         // ignore StartElement:

src/java/org/apache/poi/util/StaxHelper.java

@@ -0,0 +1,52 @@
+/* ====================================================================
+   Licensed to the Apache Software Foundation (ASF) under one or more
+   contributor license agreements.  See the NOTICE file distributed with
+   this work for additional information regarding copyright ownership.
+   The ASF licenses this file to You under the Apache License, Version 2.0
+   (the "License"); you may not use this file except in compliance with
+   the License.  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+==================================================================== */
+
+package org.apache.poi.util;
+
+import javax.xml.stream.XMLInputFactory;
+
+
+/**
+ * Provides handy methods for working with StAX parsers and readers
+ */
+public final class StaxHelper {
+    private static final POILogger logger = POILogFactory.getLogger(StaxHelper.class);
+
+    private StaxHelper() {}
+
+    /**
+     * Creates a new StAX XMLInputFactory, with sensible defaults
+     */
+    public static XMLInputFactory newXMLInputFactory() {
+        XMLInputFactory factory = XMLInputFactory.newFactory();
+        trySetProperty(factory, XMLInputFactory.IS_NAMESPACE_AWARE, true);
+        trySetProperty(factory, XMLInputFactory.IS_VALIDATING, false);
+        trySetProperty(factory, XMLInputFactory.SUPPORT_DTD, false);
+        trySetProperty(factory, XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
+        return factory;
+    }
+            
+    private static void trySetProperty(XMLInputFactory factory, String feature, boolean flag) {
+        try {
+            factory.setProperty(feature, flag);
+        } catch (Exception e) {
+            logger.log(POILogger.WARN, "StAX Property unsupported", feature, e);
+        } catch (AbstractMethodError ame) {
+            logger.log(POILogger.WARN, "Cannot set StAX property because outdated StAX parser in classpath", feature, ame);
+        }
+    }
+}

src/ooxml/java/org/apache/poi/xssf/usermodel/XSSFTableStyle.java

@@ -25,6 +25,8 @@ import java.util.Map;
 import org.apache.poi.ss.usermodel.DifferentialStyleProvider;
 import org.apache.poi.ss.usermodel.TableStyle;
 import org.apache.poi.ss.usermodel.TableStyleType;
+import org.apache.poi.util.POILogFactory;
+import org.apache.poi.util.POILogger;
 import org.apache.xmlbeans.XmlCursor;
 import org.apache.xmlbeans.XmlException;
 import org.apache.xmlbeans.XmlObject;
@@ -39,6 +41,7 @@ import org.openxmlformats.schemas.spreadsheetml.x2006.main.CTTableStyleElement;
  * Also used for built-in styles via dummy XML generated from presetTableStyles.xml.
  */
 public class XSSFTableStyle implements TableStyle {
+    private static final POILogger logger = POILogFactory.getLogger(XSSFTableStyle.class);
 
     private final String name;
     private final int index;
@@ -76,8 +79,7 @@ public class XSSFTableStyle implements TableStyle {
                     }
                     if (dxf != null) dxfList.add(dxf);
                 } catch (XmlException e) {
-                    // ignore
+                    logger.log(POILogger.WARN, "Error parsing XSSFTableStyle", e);
-                    e.printStackTrace();
                 }
             }
         }