Allow overriding factory creations and safe configurations

Eugene Bochilo · Eugene Bochilo · commit db01ff7d1b00 · 2022-06-14T21:10:02.000+03:00
DEVSIX-6759
diff --git a/kernel/src/main/java/com/itextpdf/kernel/utils/DefaultSafeXmlParserFactory.java b/kernel/src/main/java/com/itextpdf/kernel/utils/DefaultSafeXmlParserFactory.java
@@ -114,7 +114,7 @@ public DefaultSafeXmlParserFactory() {
 
     @Override
     public DocumentBuilder createDocumentBuilderInstance(boolean namespaceAware, boolean ignoringComments) {
-        DocumentBuilderFactory factory = XmlUtil.getDocumentBuilderFactory();
+        DocumentBuilderFactory factory = createDocumentBuilderFactory();
         configureSafeDocumentBuilderFactory(factory);
         factory.setNamespaceAware(namespaceAware);
         factory.setIgnoringComments(ignoringComments);
@@ -130,7 +130,7 @@ public DocumentBuilder createDocumentBuilderInstance(boolean namespaceAware, boo
 
     @Override
     public XMLReader createXMLReaderInstance(boolean namespaceAware, boolean validating) {
-        SAXParserFactory factory = XmlUtil.createSAXParserFactory();
+        SAXParserFactory factory = createSAXParserFactory();
         factory.setNamespaceAware(namespaceAware);
         factory.setValidating(validating);
         configureSafeSAXParserFactory(factory);
@@ -145,7 +145,30 @@ public XMLReader createXMLReaderInstance(boolean namespaceAware, boolean validat
         return xmlReader;
     }
 
-    private void configureSafeDocumentBuilderFactory(DocumentBuilderFactory factory) {
+    /**
+     * Creates a document builder factory implementation.
+     * 
+     * @return result of {@link DocumentBuilderFactory#newInstance()} call
+     */
+    protected DocumentBuilderFactory createDocumentBuilderFactory() {
+        return XmlUtil.getDocumentBuilderFactory();
+    }
+
+    /**
+     * Creates a SAX parser factory implementation.
+     * 
+     * @return result of {@link SAXParserFactory#newInstance()} call
+     */
+    protected SAXParserFactory createSAXParserFactory() {
+        return XmlUtil.createSAXParserFactory();
+    }
+
+    /**
+     * Configures document builder factory to make it secure against xml attacks.
+     * 
+     * @param factory {@link DocumentBuilderFactory} instance to be configured
+     */
+    protected void configureSafeDocumentBuilderFactory(DocumentBuilderFactory factory) {
         tryToSetFeature(factory, DISALLOW_DOCTYPE_DECL, true);
         tryToSetFeature(factory, EXTERNAL_GENERAL_ENTITIES, false);
         tryToSetFeature(factory, EXTERNAL_PARAMETER_ENTITIES, false);
@@ -155,7 +178,12 @@ private void configureSafeDocumentBuilderFactory(DocumentBuilderFactory factory)
         factory.setExpandEntityReferences(false);
     }
 
-    private void configureSafeSAXParserFactory(SAXParserFactory factory) {
+    /**
+     * Configures SAX parser factory to make it secure against xml attacks.
+     *
+     * @param factory {@link SAXParserFactory} instance to be configured
+     */
+    protected void configureSafeSAXParserFactory(SAXParserFactory factory) {
         tryToSetFeature(factory, DISALLOW_DOCTYPE_DECL, true);
         tryToSetFeature(factory, EXTERNAL_GENERAL_ENTITIES, false);
         tryToSetFeature(factory, EXTERNAL_PARAMETER_ENTITIES, false);
