Add a context param to disallow DOCTYPE declarations

[ren-zhijun-oracle]

Currently, whether or not DOCTYPE declarations are allowed depends on the SAXParserFactory implementation in use. It would be good to add a context param to explicitly disallow/allow DOCTYPE declarations, as follows:

<context-param>
    <param-name>com.sun.faces.disallowDoctypeDecl</param-name>
    <param-value>true</param-value>
</context-param>

When this context param is set to true, this would set a feature on the SAX parser to disallow DOCTYPE declarations. When set to false, this would set a feature on the SAX parser to allow DOCTYPE declarations. When this context param is not specified, whether or not DOCTYPE declarations are allowed would just depend on the SAXParserFactory implementation in use, as is the case today.

As an example, for WildFly, we are considering switching to a SAXParserFactory implementation that disallows DOCTYPE declarations by default. Thus, this context param would allow users to override this default behaviour for individual JSF apps, if desired.

The following is a patch that adds this context param:
fjuma/mojarra-1@946cae9

Affected Versions

[2.2.13]

[ren-zhijun-oracle]

@javaserverfaces Commented
Reported by fjuma

[ren-zhijun-oracle]

@javaserverfaces Commented
Issue-Links:
is cloned by
JAVASERVERFACES-4157

[ren-zhijun-oracle]

@javaserverfaces Commented
Was assigned to ren.zhijun.oracle

[ren-zhijun-oracle]

@javaserverfaces Commented
fjuma said:
Any thoughts on this one?

[ren-zhijun-oracle]

@javaserverfaces Commented
Marked as fixed on Tuesday, June 28th 2016, 1:59:17 am

[ren-zhijun-oracle]

@javaserverfaces Commented
ren.zhijun.oracle said:
Project: mojarra
Repository: git
Revision: 2e4bb15
Author: ren.zhijun.oracle
Date: 2016-06-28 08:57:43 UTC
Link:

Log Message:

https://java.net/jira/browse/JAVASERVERFACES-4130: Add a context param to disallow DOCTYPE declarations

Revisions:

2e4bb15

Modified Paths:

jsf-ri/src/main/java/com/sun/faces/config/WebConfiguration.java
jsf-ri/src/main/java/com/sun/faces/facelets/compiler/SAXCompiler.java

Diffs:

— a/jsf-ri/src/main/java/com/sun/faces/config/WebConfiguration.java
+++ b/jsf-ri/src/main/java/com/sun/faces/config/WebConfiguration.java
@@ -1432,6 +1432,9 @@ public class WebConfiguration {
false),
EnableWebsocketEndpoint(
PushContext.ENABLE_WEBSOCKET_ENDPOINT_PARAM_NAME,

• false),
• DisallowDoctypeDecl(
• "com.sun.faces.disallowDoctypeDecl",
  false);

private BooleanWebContextInitParameter alternate;
— a/jsf-ri/src/main/java/com/sun/faces/facelets/compiler/SAXCompiler.java
+++ b/jsf-ri/src/main/java/com/sun/faces/facelets/compiler/SAXCompiler.java
@@ -58,6 +58,8 @@

package com.sun.faces.facelets.compiler;

+import static com.sun.faces.config.WebConfiguration.BooleanWebContextInitParameter.DisallowDoctypeDecl;
+
import com.sun.faces.RIConstants;
import com.sun.faces.config.FaceletsConfiguration;
import com.sun.faces.config.WebConfiguration;
@@ -311,6 +313,14 @@ public final class SAXCompiler extends Compiler {
}
}
}
+

• protected boolean isDisallowDoctypeDeclSet()

{ + return unit.getWebConfiguration().isSet(DisallowDoctypeDecl); + }

• protected boolean isDisallowDoctypeDecl()

{ + return unit.getWebConfiguration().isOptionEnabled(DisallowDoctypeDecl); + }

}

@@ -537,6 +547,9 @@ public final class SAXCompiler extends Compiler {
factory.setFeature("http://xml.org/sax/features/validation", this
.isValidating());
factory.setValidating(this.isValidating());

• if (handler.isDisallowDoctypeDeclSet())

{ + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", handler.isDisallowDoctypeDecl()); + }

SAXParser parser = factory.newSAXParser();
XMLReader reader = parser.getXMLReader();
reader.setProperty("http://xml.org/sax/properties/lexical-handler",

[ren-zhijun-oracle]

@javaserverfaces Commented
ren.zhijun.oracle said:
Will backport to 2.2.x tomorrow.

[ren-zhijun-oracle]

@javaserverfaces Commented
This issue was imported from java.net JIRA JAVASERVERFACES-4130

[ren-zhijun-oracle]

• Issue Imported From: https://github.com/javaserverfaces/mojarra/issues/4134
• Original Issue Raised By:@javaserverfaces
• Original Issue Assigned To: @glassfishrobot
• Original Issue Closed By:@javaserverfaces