Simplify XML FSP

garydgregory · garydgregory · commit 4e88dfb7541e · 2025-12-04T09:52:31.000-05:00
diff --git a/src/main/java/org/apache/commons/text/lookup/StringLookupFactory.java b/src/main/java/org/apache/commons/text/lookup/StringLookupFactory.java
@@ -1718,15 +1718,14 @@ public StringLookup xmlStringLookup(final Map<String, Boolean> factoryFeatures)
      * <li>{@code "com/domain/document.xml:/path/to/node"}</li>
      * </ul>
      * <p>
-     * Secure processing is enabled by default and can be overridden with the system property {@code "XmlStringLookup.secure"} set to {@code false}. The secure
-     * boolean String parsing follows the syntax defined by {@link Boolean#parseBoolean(String)}.
+     * Secure processing is enabled by default and can be overridden with this constructor.
      * </p>
      * <p>
      * Using a {@link StringLookup} from the {@link StringLookupFactory} fenced by the current directory ({@code Paths.get("")}):
      * </p>
      *
      * <pre>
-     * StringLookupFactory.INSTANCE.xmlStringLookup(map, Pathe.get("")).lookup("com/domain/document.xml:/path/to/node");
+     * StringLookupFactory.INSTANCE.xmlStringLookup(map, Path.get("")).lookup("com/domain/document.xml:/path/to/node");
      * </pre>
      * <p>
      * To use a {@link StringLookup} fenced by the current directory, use:
diff --git a/src/main/java/org/apache/commons/text/lookup/XmlStringLookup.java b/src/main/java/org/apache/commons/text/lookup/XmlStringLookup.java
@@ -30,7 +30,6 @@
 import javax.xml.xpath.XPathFactory;
 
 import org.apache.commons.lang3.StringUtils;
-import org.apache.commons.lang3.SystemProperties;
 import org.w3c.dom.Document;
 
 /**
@@ -42,8 +41,7 @@
  * <li>{@code "com/domain/document.xml:/path/to/node"}</li>
  * </ul>
  * <p>
- * Secure processing is enabled by default and can be overridden with the system property {@code "XmlStringLookup.secure"} set to {@code false}. The secure
- * boolean String parsing follows the syntax defined by {@link Boolean#parseBoolean(String)}.
+ * Secure processing is enabled by default and can be overridden with {@link StringLookupFactory#xmlStringLookup(Map, Path...)}.
  * </p>
  *
  * @since 1.5
@@ -72,14 +70,13 @@ final class XmlStringLookup extends AbstractPathFencedLookup {
     }
 
     /**
-     * Defines the singleton for this class with secure processing enabled.
+     * Defines the singleton for this class with secure processing enabled by default.
+     * <p>
+     * Secure processing is enabled by default and can be overridden with {@link StringLookupFactory#xmlStringLookup(Map, Path...)}.
+     * </p>
      */
     static final XmlStringLookup INSTANCE = new XmlStringLookup(DEFAULT_XML_FEATURES, DEFAULT_XPATH_FEATURES, (Path[]) null);
 
-    private static boolean isSecure() {
-        return SystemProperties.getBoolean(XmlStringLookup.class, "secure", () -> true);
-    }
-
     /**
      * Defines XPath factory features.
      */
@@ -113,8 +110,7 @@ private static boolean isSecure() {
      * <li>{@code "com/domain/document.xml:/path/to/node"}</li>
      * </ul>
      * <p>
-     * Secure processing is enabled by default. The secure boolean String parsing follows the syntax defined by {@link Boolean#parseBoolean(String)}. The secure
-     * value in the key overrides instance settings given in the constructor.
+     * Secure processing is enabled by default and can be overridden with {@link StringLookupFactory#xmlStringLookup(Map, Path...)}.
      * </p>
      *
      * @param key the key to be looked up, may be null.
@@ -130,22 +126,19 @@ public String lookup(final String key) {
         if (keyLen != KEY_PARTS_LEN) {
             throw IllegalArgumentExceptions.format("Bad XML key format '%s'; the expected format is 'DocumentPath:XPath'.", key);
         }
-        final boolean secure = isSecure();
         final String documentPath = keys[0];
         final String xpath = StringUtils.substringAfterLast(key, SPLIT_CH);
         final DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance();
         try {
             for (final Entry<String, Boolean> p : xmlFactoryFeatures.entrySet()) {
                 dbFactory.setFeature(p.getKey(), p.getValue());
             }
-            dbFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, secure);
             try (InputStream inputStream = Files.newInputStream(getPath(documentPath))) {
                 final Document doc = dbFactory.newDocumentBuilder().parse(inputStream);
                 final XPathFactory xpFactory = XPathFactory.newInstance();
                 for (final Entry<String, Boolean> p : xPathFactoryFeatures.entrySet()) {
                     xpFactory.setFeature(p.getKey(), p.getValue());
                 }
-                xpFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, secure);
                 return xpFactory.newXPath().evaluate(xpath, doc);
             }
         } catch (final Exception e) {
diff --git a/src/test/java/org/apache/commons/text/lookup/XmlStringLookupTest.java b/src/test/java/org/apache/commons/text/lookup/XmlStringLookupTest.java
@@ -35,7 +35,6 @@
 import org.apache.commons.lang3.StringUtils;
 import org.apache.commons.text.StringSubstitutor;
 import org.junit.jupiter.api.Test;
-import org.junitpioneer.jupiter.SetSystemProperty;
 
 /**
  * Tests {@link XmlStringLookup}.
@@ -69,7 +68,6 @@ void testExternalEntityOff() {
     }
 
     @Test
-    @SetSystemProperty(key = "XmlStringLookup.secure", value = "false")
     void testExternalEntityOn() {
         final String key = DOC_DIR + "document-entity-ref.xml:/document/content";
         assertEquals(DATA, new XmlStringLookup(EMPTY_MAP, EMPTY_MAP).apply(key).trim());
@@ -83,35 +81,19 @@ void testInterpolatorExternalDtdOff() {
                 + "document-external-dtd.xml:/document/content}"));
     }
 
-    @Test
-    @SetSystemProperty(key = "XmlStringLookup.secure", value = "false")
-    void testInterpolatorExternalDtdOn() {
-        final StringSubstitutor stringSubstitutor = StringSubstitutor.createInterpolator();
-        assertEquals("This is an external entity.",
-                stringSubstitutor.replace("${xml:" + DOC_DIR + "document-external-dtd.xml:/document/content}").trim());
-    }
-
     @Test
     void testInterpolatorExternalEntityOff() {
         final StringSubstitutor stringSubstitutor = StringSubstitutor.createInterpolator();
         assertThrows(IllegalArgumentException.class, () -> stringSubstitutor.replace("${xml:" + DOC_DIR + "document-entity-ref.xml:/document/content}"));
     }
 
-    @Test
-    @SetSystemProperty(key = "XmlStringLookup.secure", value = "false")
-    void testInterpolatorExternalEntityOffOverride() {
-        final StringSubstitutor stringSubstitutor = StringSubstitutor.createInterpolator();
-        assertEquals(DATA, stringSubstitutor.replace("${xml:" + DOC_DIR + "document-entity-ref.xml:/document/content}").trim());
-    }
-
     @Test
     void testInterpolatorExternalEntityOn() {
         final StringSubstitutor stringSubstitutor = StringSubstitutor.createInterpolator();
         assertThrows(IllegalArgumentException.class, () -> stringSubstitutor.replace("${xml:" + DOC_DIR + "document-entity-ref.xml:/document/content}"));
     }
 
     @Test
-    @SetSystemProperty(key = "XmlStringLookup.secure", value = "true")
     void testInterpolatorExternalEntityOnOverride() {
         final StringSubstitutor stringSubstitutor = StringSubstitutor.createInterpolator();
         assertThrows(IllegalArgumentException.class,
