On Jul 9, 2009, at 2:22 PM, Martin Probst wrote:
>> I think one should generally set
>> http://java.sun.com/j2se/1.5.0/docs/api/javax/xml/XMLConstants.html#FEATURE_SECURE_PROCESSING
>> to true in the DocumentBuilderFactory when processing XML from the
>> outside.
>
> Actually I'm not even sure if that prevents entity expansion
> generally. I think one also needs
> "factory.setExpandEntityReferences(false);".
>
Currently the way we are using JAXB is that we pass in InputStream to
the Unmarshaller.unmarshal method. AFAIK it is not possible to pass
such values to JAXB (and JAXB uses SAX internally not DOM).
Paul.