blob: 649f0a3ef7a205e06fb1b9edd70e0b53dc42b67d (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
This example shows how to perform more secure XML parsing by disabling
the XML External Entity (XXE) Processing. If XML Schema validation is
used, then it would also make sense to pre-load the known schemas and
to disable loading of any external schemas, for example, via the
schemaLocation attribute found in the XML documents. See the comment
in driver.cxx for more information on how to achieve this.
The example consists of the following files:
library.xsd
XML Schema which describes a library of books.
library.xml
Sample XML instance document. It includes (commented out) DOCTYPE
declarations with internal and external subsets that the parser
will refuse to process.
library.hxx
library.cxx
C++ types that represent the given vocabulary and a set of parsing
functions that convert XML instance documents to a tree-like in-memory
object model. These are generated by the XSD compiler from library.xsd.
secure-dom-parser.hxx
secure-dom-parser.cxx
A secure Xerces-C++ DOM parser implementation that disables processing
of internal/external DTD subsets.
driver.cxx
Driver for the example. It first sets up the secure DOM parser. It then
parses the input file to a DOM document using the secure DOM parser and
calls one of the parsing functions that constructs the object model from
this DOM document. Finally, the driver prints a number of books in the
object model to STDERR.
To run the example on the sample XML instance document simply execute:
$ ./driver library.xml
To verify that DTD processing is disabled, uncomment a different DOCTYPE
version in the sample document.
|
