} }; static { // Disable various insecure and/or expensive options. builderFactory.setValidating(false); // Can't disable doctypes entirely because they're usually harmless. External entity // resolution, however, is both expensive and insecure. try { builderFactory.setAttribute( "http://xml.org/sax/features/external-general-entities", false); } catch (IllegalArgumentException e) { // Not supported by some very old parsers. LOG.info("XML parsers will load external general entities."); } try { builderFactory.setAttribute( "http://xml.org/sax/features/external-parameter-entities", false); } catch (IllegalArgumentException e) { // Not supported by some very old parsers. LOG.info("XML parsers will load external parameter entities."); } try { builderFactory.setAttribute( "http://apache.org/xml/features/nonvalidating/load-external-dtd", false); } catch (IllegalArgumentException e) { // Only supported by Apache's XML parsers. LOG.info("XML parsers will load external DTDs."); } try { builderFactory.setAttribute(XMLConstants.FEATURE_SECURE_PROCESSING, true); } catch (IllegalArgumentException e) { // Not supported by older parsers. LOG.info("Not using secure XML processing."); } try { DocumentBuilder builder = builderFactory.newDocumentBuilder(); builder.reset(); canReuseBuilders = true; LOG.info("Reusing document builders"); } catch (UnsupportedOperationException e) { // Only supported by newer parsers (xerces 2.8.x+ for instance).