Skip to content
Advertisement

XMLConstants.FEATURE_SECURE_PROCESSING cannot be disabled

In the following method I defined a DocumentBuilderFactory with the XMLConstant FEATURE_SECURE_PROCESSING as false.

JavaScript

However, when I test the value of this property, it is ‘true’ after the DocumentBuilderFactory is returned.

I read the source documentation, and it states:

It is possible for an {@code TransformerFactory} to expose a feature value but be unable to change its state.

I am assuming this property is “unchangeable” by simply setting it to false. I am curious, is it possible to use Reflection to get around this? Are there any other more “stable” ways of setting this property to false?

Advertisement

Answer

FEATURE_SECURE_PROCESSING cannot be turned off, unfortunately. You can effectively override this security measure by adjusting the limits associated with FEATURE_SECURE_PROCESSING.

Example via System Properties:

JavaScript

Values <= 0 are equivalent to ‘no limit’.

Source: https://www.oracle.com/java/technologies/javase/11-0-15-relnotes.html

User contributions licensed under: CC BY-SA
8 People found this is helpful
Advertisement