The XML module provide a Plugin allowing easy production and consumption of XML. Secure by default, gradually relaxable.
The Java ecosystem is rich when it somes to XML librairies, maybe too much. But it seems to be the case in many stacks. This modules leverage the standard JAXP
APIs providing StAX
, SAX
, DOM
, XSLT
and XPath
processing. No fancy fluent API is provided but the plugin expose a collection of utility methods that should cover most of the frequent use cases.
Under the hood, Woodstox is used for stream pull parsing (StAX) ; Xerces for stream push parsing (SAX & SAX2), DOM handling and Schema validation ; and Saxon for XSLT, XPath and XQuery support.
Special attention has been taken to normalize and tighten the security of XML processing amongst used libraries.
Important
|
DTD is dangerous
By default, But before enabling it beware that if you process documents coming from untrusted sources, one could easily DoS the application (eg. You have been warned. |
Default behaviour is to fail on any external entities lookup. That’s pretty good for your safety as this could be used to read files from the file system, internal network, or DoS the application. But it is not good if you need complex validation and/or transformation processing. Think of this as firewall rules, you start with a simple Deny All
rule then open what you need, knowing what you are doing.