XEE injection security in XML extension. Reported by Man Yue Mo.

thboileau · thboileau · commit fe75aff3af23 · 2017-10-02T14:31:38.000+02:00
diff --git a/build/tmpl/text/changes.txt b/build/tmpl/text/changes.txt
@@ -4,6 +4,9 @@ Changes log
 ===========
 
 @version-full@ (@release-date@)
+    - Bugs fixed
+       - XEE injection security in XML extension.
+         Reported by Man Yue Mo.
 
 - 2.3.11 (09/28/2017)
     - Bugs fixed
diff --git a/modules/org.restlet.ext.xml/src/org/restlet/ext/xml/XmlRepresentation.java b/modules/org.restlet.ext.xml/src/org/restlet/ext/xml/XmlRepresentation.java
@@ -370,7 +370,10 @@ protected DocumentBuilder getDocumentBuilder() throws IOException {
             dbf.setNamespaceAware(isNamespaceAware());
             dbf.setValidating(isValidatingDtd());
             dbf.setCoalescing(isCoalescing());
-            dbf.setExpandEntityReferences(isExpandingEntityRefs());
+            dbf.setExpandEntityReferences(false);
+            dbf.setFeature("http://xml.org/sax/features/external-parameter-entities",isExpandingEntityRefs());
+            dbf.setFeature("http://xml.org/sax/features/external-general-entities",isExpandingEntityRefs());
+            
             dbf.setIgnoringComments(isIgnoringComments());
             dbf.setIgnoringElementContentWhitespace(isIgnoringExtraWhitespaces());
 
