Hi, we just upgraded to 7.6 from 7.4, and doing an analysis picked up a new issue around XXE, which is great.
I just wanted to note that in the text explaining the issue it reads:
To disable external entity processing for SAXParserFactory , XMLReader or DocumentBuilderFactory configure one of the properties XMLConstants.FEATURE_SECURE_PROCESSING or "http://apache.org/xml/features/disallow-doctype-decl" to true.
I wonder if this should read “… configure one of the features …” instead? Very minor, but this object has both setProperty and setFeature functions, so the wording as it is gave me a moment to pause, and just check what was meant.
For your first post, it’s a good catch. For SAXParserFactory, XMLReader or DocumentBuilderFactory, we should say: configure the feature using setFeature.
I changed the description of the rule accordingly. You will see the change in a couple of weeks when we will release SonarJava 5.12.
Hi, thanks very much. I’ve actually posted stuff before (probably a few years ago now), and it was either on an old forum, or I forgot my login details But yes, sounds good, that should make it clearer.