From 5f7a45b16b3963bebfb8fd90f80e09dfe68466ab Mon Sep 17 00:00:00 2001 From: danfickle Date: Sun, 16 May 2021 21:14:51 +1000 Subject: [PATCH 1/4] Turn on deprecation warnings. So we can find warnings issued by Java 17-ea and Java 11 in CI. --- pom.xml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/pom.xml b/pom.xml index e742d1687..396ca1d45 100644 --- a/pom.xml +++ b/pom.xml @@ -134,6 +134,11 @@ org.apache.maven.plugins maven-compiler-plugin 3.8.1 + + + -Xlint:deprecation + + org.apache.maven.plugins From 5b2b95375f0c62315d7f4c813a2c52cb1f75cdbb Mon Sep 17 00:00:00 2001 From: danfickle Date: Sun, 23 May 2021 17:35:33 +1000 Subject: [PATCH 2/4] Stop using deprecated Short constructor in ValueConstants. --- .../css/constants/ValueConstants.java | 134 +++--------------- 1 file changed, 20 insertions(+), 114 deletions(-) diff --git a/openhtmltopdf-core/src/main/java/com/openhtmltopdf/css/constants/ValueConstants.java b/openhtmltopdf-core/src/main/java/com/openhtmltopdf/css/constants/ValueConstants.java index be6cfd3d1..5fd813cff 100644 --- a/openhtmltopdf-core/src/main/java/com/openhtmltopdf/css/constants/ValueConstants.java +++ b/openhtmltopdf-core/src/main/java/com/openhtmltopdf/css/constants/ValueConstants.java @@ -23,38 +23,24 @@ import com.openhtmltopdf.css.parser.CSSPrimitiveValue; import com.openhtmltopdf.util.LogMessageId; import com.openhtmltopdf.util.XRLog; -import com.openhtmltopdf.util.XRRuntimeException; - -import java.lang.reflect.Field; -import java.lang.reflect.Modifier; import java.util.*; import java.util.logging.Level; /** * Utility class for working with CSSValue instances. - * - * @author empty */ public final class ValueConstants { - /** - * Type descriptions--a crude approximation taken by scanning CSSValue - * statics - */ - private final static List TYPE_DESCRIPTIONS; - /** - * Description of the Field - */ private final static Map sacTypesStrings; /** - * Description of the Method + * Given a unit constant like CSSPrimitiveValue.CSS_EMS + * will return the unit suffix like em. * - * @param type PARAM - * @return Returns + * FIXME: Not exhaustive. */ public static String stringForSACPrimitiveType(short type) { - return sacTypesStrings.get(new Short(type)); + return sacTypesStrings.get(type); } /** @@ -62,14 +48,14 @@ public static String stringForSACPrimitiveType(short type) { * value for it), meaning that either the value can be used directly (e.g. * pixels) or there is a fixed context-independent conversion for it (e.g. * inches). Proportional types (e.g. %) return false. + * + * FIXME: Font proportional units are returned as absolute. Probably + * wrong method name rather than wrong behavior. * * @param type The CSSValue type to check. * @return See desc. */ - //TODO: method may be unnecessary (tobe) public static boolean isAbsoluteUnit(short type) { - // TODO: check this list... - // note, all types are included here to make sure none are missed switch (type) { // proportional length or size @@ -130,10 +116,10 @@ public static boolean isAbsoluteUnit(short type) { * Returns true if the SAC primitive value type is a number unit--a unit * that can only contain a numeric value. This is a shorthand way of saying, * did the user declare this as a number unit (like px)? - * - * @param cssPrimitiveType PARAM - * @return See desc. + * + * @deprecated Only used by the broken DOMInspector. */ + @Deprecated public static boolean isNumber(short cssPrimitiveType) { switch (cssPrimitiveType) { // fall thru on all these @@ -157,95 +143,15 @@ public static boolean isNumber(short cssPrimitiveType) { } static { - SortedMap map = new TreeMap<>(); - TYPE_DESCRIPTIONS = new ArrayList<>(); - try { - Field[] fields = CSSPrimitiveValue.class.getFields(); - for (int i = 0; i < fields.length; i++) { - Field f = fields[i]; - int mod = f.getModifiers(); - if (Modifier.isFinal(mod) && - Modifier.isStatic(mod) && - Modifier.isPublic(mod)) { - - Short val = (Short) f.get(null); - String name = f.getName(); - if (name.startsWith("CSS_")) { - if (!name.equals("CSS_INHERIT") && - !name.equals("CSS_PRIMITIVE_VALUE") && - !name.equals("CSS_VALUE_LIST") && - !name.equals("CSS_CUSTOM")) { - - map.put(val, name.substring("CSS_".length())); - } - } - } - } - // now sort by the key--the short constant for the public fields - List keys = new ArrayList<>(map.keySet()); - Collections.sort(keys); - - // then add to our static list, in the order the keys appear. this means - // list.get(index) will return the item at index, which should be the description - // for that constant - Iterator iter = keys.iterator(); - while (iter.hasNext()) { - TYPE_DESCRIPTIONS.add(map.get(iter.next())); - } - } catch (Exception ex) { - throw new XRRuntimeException("Could not build static list of CSS type descriptions.", ex); - } - - // HACK: this is a quick way to perform the lookup, but dumb if the short assigned are > 100; but the compiler will tell us that (PWW 21-01-05) sacTypesStrings = new HashMap<>(25); - sacTypesStrings.put(new Short(CSSPrimitiveValue.CSS_EMS), "em"); - sacTypesStrings.put(new Short(CSSPrimitiveValue.CSS_EXS), "ex"); - sacTypesStrings.put(new Short(CSSPrimitiveValue.CSS_PX), "px"); - sacTypesStrings.put(new Short(CSSPrimitiveValue.CSS_PERCENTAGE), "%"); - sacTypesStrings.put(new Short(CSSPrimitiveValue.CSS_IN), "in"); - sacTypesStrings.put(new Short(CSSPrimitiveValue.CSS_CM), "cm"); - sacTypesStrings.put(new Short(CSSPrimitiveValue.CSS_MM), "mm"); - sacTypesStrings.put(new Short(CSSPrimitiveValue.CSS_PT), "pt"); - sacTypesStrings.put(new Short(CSSPrimitiveValue.CSS_PC), "pc"); + sacTypesStrings.put(CSSPrimitiveValue.CSS_EMS, "em"); + sacTypesStrings.put(CSSPrimitiveValue.CSS_EXS, "ex"); + sacTypesStrings.put(CSSPrimitiveValue.CSS_PX, "px"); + sacTypesStrings.put(CSSPrimitiveValue.CSS_PERCENTAGE, "%"); + sacTypesStrings.put(CSSPrimitiveValue.CSS_IN, "in"); + sacTypesStrings.put(CSSPrimitiveValue.CSS_CM, "cm"); + sacTypesStrings.put(CSSPrimitiveValue.CSS_MM, "mm"); + sacTypesStrings.put(CSSPrimitiveValue.CSS_PT, "pt"); + sacTypesStrings.put(CSSPrimitiveValue.CSS_PC, "pc"); } - -}// end class - -/* - * $Id$ - * - * $Log$ - * Revision 1.10 2005/10/25 16:06:49 pdoubleya - * For guessing type, with no type code, check last char, not first. - * - * Revision 1.9 2005/10/25 15:38:27 pdoubleya - * Moved guessType() to ValueConstants, applied fix to method suggested by Chris Oliver, to avoid exception-based catch. - * - * Revision 1.8 2005/09/11 20:43:15 tobega - * Fixed table-css interaction bug, colspan now works again - * - * Revision 1.7 2005/06/01 00:47:01 tobega - * Partly confused hack trying to get width and height working properly for replaced elements. - * - * Revision 1.6 2005/01/29 20:18:40 pdoubleya - * Clean/reformat code. Removed commented blocks, checked copyright. - * - * Revision 1.5 2005/01/24 14:52:20 pdoubleya - * Fixed accidental access modifier change to private--isAbsoluteUnit() is used in tests. - * - * Revision 1.4 2005/01/24 14:36:32 pdoubleya - * Mass commit, includes: updated for changes to property declaration instantiation, and new use of DerivedValue. Removed any references to older XR... classes (e.g. XRProperty). Cleaned imports. - * - * Revision 1.3 2004/11/16 10:38:21 pdoubleya - * Use XRR exception, added comments. - * - * Revision 1.2 2004/10/23 13:09:13 pdoubleya - * Re-formatted using JavaStyle tool. - * Cleaned imports to resolve wildcards - * except for common packages - * (java.io, java.util, etc). - * Added CVS log comments at bottom. - * - * - */ - +} From f82e77e32c892fc361812dfbbd9e4bb90a312c46 Mon Sep 17 00:00:00 2001 From: danfickle Date: Sun, 23 May 2021 17:54:03 +1000 Subject: [PATCH 3/4] Remove usage of Integer constructor in LayoutContext. --- .../openhtmltopdf/layout/LayoutContext.java | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/openhtmltopdf-core/src/main/java/com/openhtmltopdf/layout/LayoutContext.java b/openhtmltopdf-core/src/main/java/com/openhtmltopdf/layout/LayoutContext.java index 2e17d3f24..990f1c107 100644 --- a/openhtmltopdf-core/src/main/java/com/openhtmltopdf/layout/LayoutContext.java +++ b/openhtmltopdf-core/src/main/java/com/openhtmltopdf/layout/LayoutContext.java @@ -485,31 +485,34 @@ private CounterContext() { * @return true if a counter was found and incremented */ private boolean incrementCounter(CounterData cd) { - if ("list-item".equals(cd.getName())) {//reserved name for list-item counter in CSS3 + // list-item is a reserved name for list-item counter in CSS3 + if ("list-item".equals(cd.getName())) { incrementListItemCounter(cd.getValue()); return true; } else { - Integer currentValue = (Integer) _counters.get(cd.getName()); + Integer currentValue = _counters.get(cd.getName()); if (currentValue == null) { - if (_parent == null) return false; + if (_parent == null) { + return false; + } return _parent.incrementCounter(cd); } else { - _counters.put(cd.getName(), new Integer(currentValue.intValue() + cd.getValue())); + _counters.put(cd.getName(), currentValue + cd.getValue()); return true; } } } private void incrementListItemCounter(int increment) { - Integer currentValue = (Integer) _counters.get("list-item"); + Integer currentValue = _counters.get("list-item"); if (currentValue == null) { - currentValue = new Integer(0); + currentValue = 0; } - _counters.put("list-item", new Integer(currentValue.intValue() + increment)); + _counters.put("list-item", currentValue + increment); } private void resetCounter(CounterData cd) { - _counters.put(cd.getName(), new Integer(cd.getValue())); + _counters.put(cd.getName(), cd.getValue()); } public int getCurrentCounterValue(String name) { From 23626ab6849702a8837f0ca12574cf88d2e3e4f7 Mon Sep 17 00:00:00 2001 From: danfickle Date: Sun, 23 May 2021 20:21:40 +1000 Subject: [PATCH 4/4] Cleanup XMLResource class. + Remove usage of deprecated XMLReaderFactory. + Exception on setting feature only impacts setting that feature, not all. + Ignore deprecated config file. + Default xml reader obtained is now 'com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser' which is a subclass of the previous default of 'com.sun.org.apache.xerces.internal.parsers.SAXParser'. --- .../openhtmltopdf/resource/XMLResource.java | 362 +++++------------- .../com/openhtmltopdf/util/LogMessageId.java | 1 + .../resources/conf/xhtmlrenderer.conf | 1 + 3 files changed, 101 insertions(+), 263 deletions(-) diff --git a/openhtmltopdf-core/src/main/java/com/openhtmltopdf/resource/XMLResource.java b/openhtmltopdf-core/src/main/java/com/openhtmltopdf/resource/XMLResource.java index 67bfc767a..38d3d048a 100644 --- a/openhtmltopdf-core/src/main/java/com/openhtmltopdf/resource/XMLResource.java +++ b/openhtmltopdf-core/src/main/java/com/openhtmltopdf/resource/XMLResource.java @@ -26,7 +26,6 @@ import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.FactoryConfigurationError; -import javax.xml.parsers.ParserConfigurationException; import javax.xml.parsers.SAXParser; import javax.xml.parsers.SAXParserFactory; import javax.xml.transform.Source; @@ -37,15 +36,12 @@ import javax.xml.transform.sax.SAXSource; import com.openhtmltopdf.util.*; + import org.w3c.dom.Document; import org.xml.sax.ErrorHandler; import org.xml.sax.InputSource; -import org.xml.sax.SAXException; -import org.xml.sax.SAXNotRecognizedException; -import org.xml.sax.SAXNotSupportedException; import org.xml.sax.SAXParseException; import org.xml.sax.XMLReader; -import org.xml.sax.helpers.XMLReaderFactory; /** @@ -54,11 +50,9 @@ public class XMLResource extends AbstractResource { private Document document; private static final XMLResourceBuilder XML_RESOURCE_BUILDER; - private static boolean useConfiguredParser; static { XML_RESOURCE_BUILDER = new XMLResourceBuilder(); - useConfiguredParser = true; } private XMLResource(InputStream stream) { @@ -81,118 +75,117 @@ public static XMLResource load(Reader reader) { return XML_RESOURCE_BUILDER.createXMLResource(new XMLResource(new InputSource(reader))); } - @Deprecated - public static XMLResource load(Source source) { - return XML_RESOURCE_BUILDER.createXMLResource(source); - } - public Document getDocument() { return document; } - /*package*/ - void setDocument(Document document) { + /*package*/ void setDocument(Document document) { this.document = document; } public static final XMLReader newXMLReader() { XMLReader xmlReader = null; - String xmlReaderClass = Configuration.valueFor("xr.load.xml-reader"); - - //TODO: if it doesn't find the parser, note that in a static boolean--otherwise - // you get exceptions on every load + try { - if (xmlReaderClass != null && - !xmlReaderClass.toLowerCase().equals("default") && - XMLResource.useConfiguredParser) { - try { - Class.forName(xmlReaderClass); - } catch (Exception ex) { - XMLResource.useConfiguredParser = false; - XRLog.log(Level.WARNING, LogMessageId.LogMessageId1Param.LOAD_XMLREADER_CLASS_SPECIFIED_COULD_NOT_BE_FOUND, xmlReaderClass); - } - if (XMLResource.useConfiguredParser) { - xmlReader = XMLReaderFactory.createXMLReader(xmlReaderClass); - } - } + SAXParserFactory factory = SAXParserFactory.newInstance(); + setSaxParserRequestedFeatures(factory); + + SAXParser parser = factory.newSAXParser(); + xmlReader = parser.getXMLReader(); } catch (Exception ex) { - XRLog.log(Level.WARNING, LogMessageId.LogMessageId1Param.LOAD_COULD_NOT_INSTANTIATE_CUSTOM_XML_READER, xmlReaderClass, ex); - } - if (xmlReader == null) { - try { - // JDK default - // HACK: if - /*CHECK: does this code do anything? - if (System.getProperty("org.xml.sax.driver") == null) { - String newDefault = "org.apache.crimson.parser.XMLReaderImpl"; - XRLog.load(Level.WARNING, - "No value for system property 'org.xml.sax.driver'."); - } - */ - xmlReader = XMLReaderFactory.createXMLReader(); - xmlReaderClass = "{JDK default}"; - } catch (Exception ex) { - XRLog.log(Level.INFO, LogMessageId.LogMessageId1Param.GENERAL_MESSAGE, ex.getMessage()); - } - } - if (xmlReader == null) { - try { - XRLog.log(Level.WARNING, LogMessageId.LogMessageId0Param.LOAD_FALLING_BACK_ON_THE_DEFAULT_PARSER); - SAXParser parser = SAXParserFactory.newInstance().newSAXParser(); - xmlReader = parser.getXMLReader(); - xmlReaderClass = "SAXParserFactory default"; - } catch (Exception ex) { - XRLog.log(Level.INFO, LogMessageId.LogMessageId1Param.GENERAL_MESSAGE, ex.getMessage()); - } + XRLog.log(Level.INFO, LogMessageId.LogMessageId1Param.GENERAL_MESSAGE, ex.getMessage()); } + if (xmlReader == null) { throw new XRRuntimeException("Could not instantiate any SAX 2 parser, including JDK default. " + - "The name of the class to use should have been read from the org.xml.sax.driver System " + - "property, which is set to: "/*CHECK: is this meaningful? + System.getProperty("org.xml.sax.driver")*/); + "The name of the class to use may have been read from the 'javax.xml.parsers.SAXParserFactory' System " + + "property, which is set to: " + System.getProperty("javax.xml.parsers.SAXParserFactory")); } + XRLog.log(Level.INFO, LogMessageId.LogMessageId1Param.LOAD_SAX_XMLREADER_IN_USE, xmlReader.getClass().getName()); + return xmlReader; } + @FunctionalInterface + interface SetFeature { + void setFeature(String feature, T set) throws Exception; + } + + private static boolean trySetFeature( + String feature, + T value, + SetFeature tryer) { + try { + tryer.setFeature(feature, value); + return true; + } catch (Exception e) { + XRLog.log(Level.WARNING, LogMessageId.LogMessageId2Param.XML_FEATURE_NOT_ABLE_TO_SET, feature, value, e); + return false; + } + } + + private static void setSaxParserRequestedFeatures(SAXParserFactory factory) { + factory.setValidating(false); + factory.setNamespaceAware(true); + + boolean b = true; + + b &= trySetFeature("http://apache.org/xml/features/disallow-doctype-decl", false, factory::setFeature); + b &= trySetFeature("http://xml.org/sax/features/external-general-entities", false, factory::setFeature); + b &= trySetFeature("http://xml.org/sax/features/external-parameter-entities", false, factory::setFeature); + b &= trySetFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", true, factory::setFeature); + b &= trySetFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true, factory::setFeature); + + if (!b) { + XRLog.log(Level.SEVERE, LogMessageId.LogMessageId0Param.LOAD_UNABLE_TO_DISABLE_XML_EXTERNAL_ENTITIES); + } + } + private static class XMLResourceBuilder { - - private void setXmlReaderSecurityFeatures(XMLReader xmlReader) { - try { - // VERY IMPORTANT: Without these lines, users can pull in arbitary files from the system using XXE. - // DO NOT REMOVE! - xmlReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false); - xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", false); - xmlReader.setFeature("http://xml.org/sax/features/external-parameter-entities", false); - xmlReader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", true); - xmlReader.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); - } catch (SAXNotSupportedException | SAXNotRecognizedException e) { - XRLog.log(Level.SEVERE, LogMessageId.LogMessageId0Param.LOAD_UNABLE_TO_DISABLE_XML_EXTERNAL_ENTITIES, e); - } - } - - private void setDocumentBuilderSecurityFeatures(DocumentBuilderFactory dbf) { - try { - // VERY IMPORTANT: Without these lines, users can pull in arbitary files from the system using XXE. - // DO NOT REMOVE! - dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false); - dbf.setFeature("http://xml.org/sax/features/external-general-entities", false); - dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false); - dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); - dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); - } catch (ParserConfigurationException e) { - XRLog.log(Level.SEVERE, LogMessageId.LogMessageId0Param.LOAD_UNABLE_TO_DISABLE_XML_EXTERNAL_ENTITIES, e); - } - } - - private void setTranformerFactorySecurityFeatures(TransformerFactory xformFactory) { - try { - xformFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); - xformFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); - } catch (IllegalArgumentException e) { - XRLog.log(Level.SEVERE, LogMessageId.LogMessageId0Param.LOAD_UNABLE_TO_DISABLE_XML_EXTERNAL_ENTITIES, e); - } - } - + private void setXmlReaderSecurityFeatures(XMLReader xmlReader) { + boolean b = true; + + // VERY IMPORTANT: Without these lines, users can pull in arbitary files from the system using XXE. + // DO NOT REMOVE! + b &= trySetFeature("http://apache.org/xml/features/disallow-doctype-decl", false, xmlReader::setFeature); + b &= trySetFeature("http://xml.org/sax/features/external-general-entities", false, xmlReader::setFeature); + b &= trySetFeature("http://xml.org/sax/features/external-parameter-entities", false, xmlReader::setFeature); + b &= trySetFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", true, xmlReader::setFeature); + b &= trySetFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true, xmlReader::setFeature); + + if (!b) { + XRLog.log(Level.SEVERE, LogMessageId.LogMessageId0Param.LOAD_UNABLE_TO_DISABLE_XML_EXTERNAL_ENTITIES); + } + } + + private void setDocumentBuilderSecurityFeatures(DocumentBuilderFactory dbf) { + boolean b = true; + + // VERY IMPORTANT: Without these lines, users can pull in arbitary files from the system using XXE. + // DO NOT REMOVE! + b &= trySetFeature("http://apache.org/xml/features/disallow-doctype-decl", false, dbf::setFeature); + b &= trySetFeature("http://xml.org/sax/features/external-general-entities", false, dbf::setFeature); + b &= trySetFeature("http://xml.org/sax/features/external-parameter-entities", false, dbf::setFeature); + b &= trySetFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false, dbf::setFeature); + b &= trySetFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true, dbf::setFeature); + + if (!b) { + XRLog.log(Level.SEVERE, LogMessageId.LogMessageId0Param.LOAD_UNABLE_TO_DISABLE_XML_EXTERNAL_ENTITIES); + } + } + + private void setTranformerFactorySecurityFeatures(TransformerFactory xformFactory) { + boolean b = true; + + b &= trySetFeature(XMLConstants.ACCESS_EXTERNAL_DTD, "", xformFactory::setAttribute); + b &= trySetFeature(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "", xformFactory::setAttribute); + + if (!b) { + XRLog.log(Level.SEVERE, LogMessageId.LogMessageId0Param.LOAD_UNABLE_TO_DISABLE_XML_EXTERNAL_ENTITIES); + } + } + private TransformerFactory loadPreferredTransformerFactory(String preferredImpl) { try { return TransformerFactory.newInstance(preferredImpl, null); @@ -298,175 +291,18 @@ public void warning(SAXParseException ex) { } /** - * Sets all standard features for SAX parser, using values from Configuration. + * Sets all standard features for SAX parser. */ private void setParserFeatures(XMLReader xmlReader) { - try { // perf: validation off - xmlReader.setFeature("http://xml.org/sax/features/validation", false); - // perf: namespaces - xmlReader.setFeature("http://xml.org/sax/features/namespaces", true); - } catch (SAXException s) { - // nothing to do--some parsers will not allow setting features - XRLog.log(Level.WARNING, LogMessageId.LogMessageId0Param.LOAD_COULD_NOT_SET_VALIDATION_NAMESPACE_FEATURES_FOR_XML_PARSER, s); - } - if (Configuration.isFalse("xr.load.configure-features", false)) { - XRLog.log(Level.FINE, LogMessageId.LogMessageId0Param.LOAD_SAX_PARSER_BY_REQUEST_NOT_CHANGING_PARSER_FEATURES); - return; - } - - // perf: validation off - setFeature(xmlReader, "http://xml.org/sax/features/validation", "xr.load.validation"); - - // mem: intern strings - setFeature(xmlReader, "http://xml.org/sax/features/string-interning", "xr.load.string-interning"); - - // perf: namespaces - setFeature(xmlReader, "http://xml.org/sax/features/namespaces", "xr.load.namespaces"); - setFeature(xmlReader, "http://xml.org/sax/features/namespace-prefixes", "xr.load.namespace-prefixes"); - } + boolean b = true; - /** - * Attempts to set requested feature on the parser; logs exception if not supported - * or not recognized. - */ - private void setFeature(XMLReader xmlReader, String featureUri, String configName) { - try { - xmlReader.setFeature(featureUri, Configuration.isTrue(configName, false)); - XRLog.log(Level.FINE, LogMessageId.LogMessageId2Param.LOAD_SAX_FEATURE_SET, featureUri.substring(featureUri.lastIndexOf("/")), xmlReader.getFeature(featureUri)); - } catch (SAXNotSupportedException ex) { - XRLog.log(Level.WARNING, LogMessageId.LogMessageId1Param.LOAD_SAX_FEATURE_NOT_SUPPORTED, featureUri); - } catch (SAXNotRecognizedException ex) { - XRLog.log(Level.WARNING, LogMessageId.LogMessageId1Param.LOAD_SAX_FEATURE_NOT_RECOGNIZED, featureUri); - } - } - - @Deprecated - public XMLResource createXMLResource(Source source) { - DOMResult output = null; - TransformerFactory xformFactory = null; - Transformer idTransform = null; - long st = 0L; - - st = System.currentTimeMillis(); - try { - DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); - - // VERY IMPORTANT: Without these lines, users can pull in arbitary files from the system using XXE. - // DO NOT REMOVE! - dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false); - dbf.setFeature("http://xml.org/sax/features/external-general-entities", false); - dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false); - dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); - dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); - - dbf.setNamespaceAware(true); - dbf.setValidating(false);//validation is the root of all evil in xml - tobe - output = new DOMResult(dbf.newDocumentBuilder().newDocument()); - - try { - xformFactory = TransformerFactory.newInstance("com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl", null); - } catch(Exception e) { - XRLog.log(Level.SEVERE, LogMessageId.LogMessageId1Param.LOAD_COULD_NOT_LOAD_PREFERRED_XML, "transformer"); - xformFactory = TransformerFactory.newInstance(); - } - - xformFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); - xformFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); - - idTransform = xformFactory.newTransformer(); - } catch (Exception ex) { - throw new XRRuntimeException("Failed on configuring SAX to DOM transformer.", ex); - } + b &= trySetFeature("http://xml.org/sax/features/validation", false, xmlReader::setFeature); + b &= trySetFeature("http://xml.org/sax/features/namespaces", true, xmlReader::setFeature); - try { - idTransform.transform(source, output); - } catch (Exception ex) { - throw new XRRuntimeException("Can't load the XML resource (using TRaX transformer). " + ex.getMessage(), ex); + if (!b) { + // nothing to do--some parsers will not allow setting features + XRLog.log(Level.WARNING, LogMessageId.LogMessageId0Param.LOAD_COULD_NOT_SET_VALIDATION_NAMESPACE_FEATURES_FOR_XML_PARSER); } - - long end = System.currentTimeMillis(); - - //HACK: should rather use a default constructor - XMLResource target = new XMLResource((InputSource) null); - - target.setElapsedLoadTime(end - st); - - XRLog.log(Level.INFO, LogMessageId.LogMessageId1Param.LOAD_LOADED_DOCUMENT_TIME, target.getElapsedLoadTime()); - - target.setDocument((Document) output.getNode()); - return target; } } } - -/* - * $Id$ - * - * $Log$ - * Revision 1.20 2007/05/15 22:01:42 peterbrant - * Remove unused code - * - * Revision 1.19 2006/07/26 18:09:42 pdoubleya - * Clean exception throws. - * - * Revision 1.18 2006/02/02 02:47:36 peterbrant - * Support non-AWT images - * - * Revision 1.17 2005/10/22 00:09:18 peterbrant - * Rollback to 1.15 - * - * Revision 1.15 2005/07/02 09:40:24 tobega - * More robust parsing - * - * Revision 1.14 2005/06/26 01:02:21 tobega - * Now checking for SecurityException on System.getProperty - * - * Revision 1.13 2005/06/25 22:16:23 tobega - * Browser now handles both plain text files and images - * - * Revision 1.12 2005/06/15 10:56:14 tobega - * cleaned up a bit of URL mess, centralizing URI-resolution and loading to UserAgentCallback - * - * Revision 1.11 2005/06/13 06:50:16 tobega - * Fixed a bug in table content resolution. - * Various "tweaks" in other stuff. - * - * Revision 1.10 2005/06/01 21:36:41 tobega - * Got image scaling working, and did some refactoring along the way - * - * Revision 1.9 2005/04/20 19:13:18 tobega - * Fixed vertical align. Middle works and all look pretty much like in firefox - * - * Revision 1.8 2005/04/03 21:51:31 joshy - * fixed code that gets the XMLReader on the mac - * added isMacOSX() to GeneralUtil - * added app name and single menu bar to browser - * - * Issue number: - * Obtained from: - * Submitted by: - * Reviewed by: - * - * Revision 1.7 2005/03/28 18:33:03 pdoubleya - * Don't show stack trace if XML can't be loaded. - * - * Revision 1.6 2005/03/22 15:34:23 pdoubleya - * Changed to use XMLReaderFactory, appears to solve namespaces issue (thanks to Elliot Rusty Harold, again!). - * - * Revision 1.5 2005/03/16 19:26:31 pdoubleya - * Fixed to use proper javax.xml.transform instantiation for parser, and only try to load custom parser once, so that you don't get exceptions on each page. - * - * Revision 1.4 2005/02/05 18:09:39 pdoubleya - * Add specific SAX class name if none was specified and if system property is not already set. - * - * Revision 1.3 2005/02/05 17:19:47 pdoubleya - * Refactoring for features support, static factory method for XMLReaders. - * - * Revision 1.2 2005/02/05 11:33:33 pdoubleya - * Added load() to XMLResource, and accept overloaded input: InputSource, stream, URL. - * - * Revision 1.1 2005/02/03 20:39:35 pdoubleya - * Added to CVS. - * - * - */ \ No newline at end of file diff --git a/openhtmltopdf-core/src/main/java/com/openhtmltopdf/util/LogMessageId.java b/openhtmltopdf-core/src/main/java/com/openhtmltopdf/util/LogMessageId.java index 4bb9d96fc..95ae21a3e 100644 --- a/openhtmltopdf-core/src/main/java/com/openhtmltopdf/util/LogMessageId.java +++ b/openhtmltopdf-core/src/main/java/com/openhtmltopdf/util/LogMessageId.java @@ -201,6 +201,7 @@ enum LogMessageId2Param implements LogMessageId { CSS_PARSE_COULDNT_PARSE_STYLESHEET_AT_URI(XRLog.CSS_PARSE, "Couldn't parse stylesheet at URI {}: {}"), CSS_PARSE_GENERIC_MESSAGE(XRLog.CSS_PARSE, "({}) {}"), + XML_FEATURE_NOT_ABLE_TO_SET(XRLog.LOAD, "Could not set XML/SAX feature. This may be a security issue if using untrusted XML. Feature: {} -> {}"), XML_ENTITIES_SAX_FEATURE_SET(XRLog.XML_ENTITIES, "SAX Parser feature: {} set to {}"), XML_ENTITIES_ENTITY_PUBLIC_NOT_FOUND_OR_LOCAL(XRLog.XML_ENTITIES, "Entity public: {} -> {}"), XML_ENTITIES_ENTITY_CANT_FIND_LOCAL_REFERENCE(XRLog.XML_ENTITIES, "Can't find a local reference for Entity for public ID: {}" + diff --git a/openhtmltopdf-core/src/main/resources/resources/conf/xhtmlrenderer.conf b/openhtmltopdf-core/src/main/resources/resources/conf/xhtmlrenderer.conf index d861d767f..8e8b19d9c 100644 --- a/openhtmltopdf-core/src/main/resources/resources/conf/xhtmlrenderer.conf +++ b/openhtmltopdf-core/src/main/resources/resources/conf/xhtmlrenderer.conf @@ -1,3 +1,4 @@ +# DEPRECATED # Configuration file for XHTMLRenderer core # # Follows formatting specified in JavaDoc for java.util.Properties