On Thu, Jul 9, 2009 at 8:56 AM, Tim McCune<tim_at_mccune.name> wrote:
> Catching up on this thread.
>
> The unit test example that I provided shows that it works in Grizzly. We
> originally encountered the problem in Tomcat. So have seen it in both.
...
> really cool if Jersey provided a way to do that out of the box. Anyway, in
> order to accomplish this, we're providing our own Unmarshaller, and in turn,
> our own SAX parser. So the easy fix for us was to call this on the
> SAXParserFactory:
>
> parserFactory.setFeature("http://xml.org/sax/features/external-general-entities",
> Boolean.FALSE);
>
> Maybe Jersey just needs to always do the same when parsing XML instead of
> simply passing the raw InputStream in.
Also: similar option exists with Stax API,
XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES;
factory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES.
Boolean.FALSE);
would do the trick.
Given that you don't necessarily get to choose which parser gets
instantiated by Jersey, it would make sense to use a more generic
setting which can then translate to what is needed by specific parser
being instantiated?
Plus it definitely would be reasonable to set this when "secure mode"
is enabled.
-+ Tatu +-