Add a context param to disallow DOCTYPE declarations

[javaserverfaces]

Currently, whether or not DOCTYPE declarations are allowed depends on the SAXParserFactory implementation in use. It would be good to add a context param to explicitly disallow/allow DOCTYPE declarations, as follows:

<context-param>
    <param-name>com.sun.faces.disallowDoctypeDecl</param-name>
    <param-value>true</param-value>
</context-param>

When this context param is set to true, this would set a feature on the SAX parser to disallow DOCTYPE declarations. When set to false, this would set a feature on the SAX parser to allow DOCTYPE declarations. When this context param is not specified, whether or not DOCTYPE declarations are allowed would just depend on the SAXParserFactory implementation in use, as is the case today.

As an example, for WildFly, we are considering switching to a SAXParserFactory implementation that disallows DOCTYPE declarations by default. Thus, this context param would allow users to override this default behaviour for individual JSF apps, if desired.

The following is a patch that adds this context param:
fjuma@946cae9

Affected Versions

[2.2.13]

[javaserverfaces]

Reported by fjuma

[javaserverfaces]

Issue-Links:
is cloned by
JAVASERVERFACES-4157

[javaserverfaces]

Was assigned to ren.zhijun.oracle

[javaserverfaces]

fjuma said:
Any thoughts on this one?

[javaserverfaces]

Marked as fixed on Tuesday, June 28th 2016, 1:59:17 am

[javaserverfaces]

ren.zhijun.oracle said:
Project: mojarra
Repository: git
Revision: 2e4bb15
Author: ren.zhijun.oracle
Date: 2016-06-28 08:57:43 UTC
Link:

Log Message:

https://java.net/jira/browse/JAVASERVERFACES-4130: Add a context param to disallow DOCTYPE declarations

Revisions:

2e4bb15

Modified Paths:

jsf-ri/src/main/java/com/sun/faces/config/WebConfiguration.java
jsf-ri/src/main/java/com/sun/faces/facelets/compiler/SAXCompiler.java

Diffs:

— a/jsf-ri/src/main/java/com/sun/faces/config/WebConfiguration.java
+++ b/jsf-ri/src/main/java/com/sun/faces/config/WebConfiguration.java
@@ -1432,6 +1432,9 @@ public class WebConfiguration {
false),
EnableWebsocketEndpoint(
PushContext.ENABLE_WEBSOCKET_ENDPOINT_PARAM_NAME,

• false),
• DisallowDoctypeDecl(
• "com.sun.faces.disallowDoctypeDecl",
  false);

private BooleanWebContextInitParameter alternate;
— a/jsf-ri/src/main/java/com/sun/faces/facelets/compiler/SAXCompiler.java
+++ b/jsf-ri/src/main/java/com/sun/faces/facelets/compiler/SAXCompiler.java
@@ -58,6 +58,8 @@

package com.sun.faces.facelets.compiler;

+import static com.sun.faces.config.WebConfiguration.BooleanWebContextInitParameter.DisallowDoctypeDecl;
+
import com.sun.faces.RIConstants;
import com.sun.faces.config.FaceletsConfiguration;
import com.sun.faces.config.WebConfiguration;
@@ -311,6 +313,14 @@ public final class SAXCompiler extends Compiler {
}
}
}
+

• protected boolean isDisallowDoctypeDeclSet()

{ + return unit.getWebConfiguration().isSet(DisallowDoctypeDecl); + }

• protected boolean isDisallowDoctypeDecl()

{ + return unit.getWebConfiguration().isOptionEnabled(DisallowDoctypeDecl); + }

}

@@ -537,6 +547,9 @@ public final class SAXCompiler extends Compiler {
factory.setFeature("http://xml.org/sax/features/validation", this
.isValidating());
factory.setValidating(this.isValidating());

• if (handler.isDisallowDoctypeDeclSet())

{ + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", handler.isDisallowDoctypeDecl()); + }

SAXParser parser = factory.newSAXParser();
XMLReader reader = parser.getXMLReader();
reader.setProperty("http://xml.org/sax/properties/lexical-handler",

[javaserverfaces]

ren.zhijun.oracle said:
Will backport to 2.2.x tomorrow.

[javaserverfaces]

This issue was imported from java.net JIRA JAVASERVERFACES-4130