On Thu, Jul 9, 2009 at 2:18 PM, Tim McCune<tim_at_mccune.name> wrote:
> On Thu, Jul 9, 2009 at 2:03 PM, Tatu Saloranta <tsaloranta_at_gmail.com> wrote:
>>
...
> I looked into this, and it turns out the StAX parser that's built into the
> JDK (SJSXP) is not standards-compliant, and will not only default to not
> expanding entities, but will throw an exception if you set that property to
> Boolean.TRUE. :) So while not an immediate issue, I suppose it could become
Heh. :-)
I won't comment too much wrt Sjsxp feature set, beyond mentioning that
not all Sun frameworks use Sjsxp by default. Glassfish actually
nowadays defaults to using Woodstox I think. Which does use the Stax
api default settings ([external] entity expansion enabled), but allow
disabling etc.
> one down the road if the JDK's implementation fixed that problem, and if
> Jersey were to change to using StAX for parsing XML by default instead of
> SAX.
True. Just thought I'll mention it.
... and this also gives me one potential idea for adding
"enabledSecureProblem()" feature in Woodstox 5.0. :-)
-+ Tatu +-