On Jul 9, 2009, at 11:52 PM, Tatu Saloranta wrote:
> On Thu, Jul 9, 2009 at 2:18 PM, Tim McCune<tim_at_mccune.name> wrote:
>> On Thu, Jul 9, 2009 at 2:03 PM, Tatu Saloranta
>> <tsaloranta_at_gmail.com> wrote:
>>>
> ...
>> I looked into this, and it turns out the StAX parser that's built
>> into the
>> JDK (SJSXP) is not standards-compliant, and will not only default
>> to not
>> expanding entities, but will throw an exception if you set that
>> property to
>> Boolean.TRUE. :) So while not an immediate issue, I suppose it
>> could become
>
> Heh. :-)
>
> I won't comment too much wrt Sjsxp feature set, beyond mentioning that
> not all Sun frameworks use Sjsxp by default. Glassfish actually
> nowadays defaults to using Woodstox I think.
Right. I recently switched the Jersey pom dependencies to use the same
Woodstox version as Metro. Woodstox will be used for parsing
Collection<T> where T is a JAXB element type.
> Which does use the Stax
> api default settings ([external] entity expansion enabled), but allow
> disabling etc.
>
>> one down the road if the JDK's implementation fixed that problem,
>> and if
>> Jersey were to change to using StAX for parsing XML by default
>> instead of
>> SAX.
>
> True. Just thought I'll mention it.
>
> ... and this also gives me one potential idea for adding
> "enabledSecureProblem()" feature in Woodstox 5.0. :-)
>
+1
Paul.