...
This compliant code example employs this schema to prevent XML injection from succeeding. The schema is avaialble as the file schema.xsd. It also relies on the CustomResolver class to prevent XXE attacks. This class, as well as XXE attacks are described in the subsequent code examples.
| Code Block | ||
|---|---|---|
| ||
private void createXMLStream(BufferedOutputStream outStream, String quantity)
throws IOException {
String xmlString;
xmlString = "<item>\n<description>Widget</description>\n<price>500.0</price>\n" +
"<quantity>" + quantity + "</quantity></item>";
InputSource xmlStream = new InputSource(new StringReader(xmlString));
// Build a validating SAX parser using our schema
SchemaFactory sf = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
DefaultHandler defHandler = new DefaultHandler() {
public void warning(SAXParseException s) throws SAXParseException {throw s;}
public void error(SAXParseException s) throws SAXParseException {throw s;}
public void fatalError(SAXParseException s) throws SAXParseException {throw s;}
};
StreamSource ss = new StreamSource(new File("schema.xsd"));
try {
Schema schema = sf.newSchema(ss);
SAXParserFactory spf = SAXParserFactory.newInstance();
spf.setSchema(schema);
SAXParser saxParser = spf.newSAXParser();
// To set the custom entity resolver, an XML reader needs to be created
XMLReader reader = saxParser.getXMLReader();
reader.setEntityResolver(new CustomResolver());
saxParser.parse(xmlStream, defHandler);
} catch (ParserConfigurationException x) {
throw new IOException("Unable to validate XML", x);
} catch (SAXException x) {
throw new IOException("Invalid quantity", x);
}
// Our XML is valid, proceed
outStream.write(xmlString.getBytes());
outStream.flush();
}
|
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="5a8b7fed9d2df999-34435ee8-47cb439e-96c8b5f1-b0d0c88181d6635bd2c743d2"><ac:plain-text-body><![CDATA[ | [[OWASP 2005 | AA. Bibliography#OWASP 05]] |
| ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="31011738d6f28031-9e95eccd-446a44ec-a606be29-a50a6b93c0a42119d02d5fd5"><ac:plain-text-body><![CDATA[ | [[OWASP 2007 | AA. Bibliography#OWASP 07]] |
| ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="c66b188b1750c00d-8a79ad80-4a5d4b43-8256ac42-b845b83b4ea0f75ad55fd9ce"><ac:plain-text-body><![CDATA[ | [[OWASP 2008 | AA. Bibliography#OWASP 08]] |
| ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="0074b69058265a00-20f5fa7b-490c4ee9-9cd0a17c-1b819f9518100a330ddadb45"><ac:plain-text-body><![CDATA[ | [[W3C 2008 | AA. Bibliography#W3C 08]] | 4.4.3 Included If Validating | ]]></ac:plain-text-body></ac:structured-macro> |
...