为了避免 XXE injections,应为 XML 代理、解析器或读取器设置
0
悬赏园豆:5
[待解决问题]
下面这段代码怎么改啊?这样改对吗?
public static List<Map> toList(String xmlStr) throws Exception
{
XMLInputFactory inputFactory = XMLInputFactory.newInstance();
inputFactory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES, Boolean.FALSE);
inputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.TRUE);
List list = new ArrayList();
XMLStreamReader reader = null;
try {
reader = inputFactory.createXMLStreamReader(new StringReader(xmlStr));
int cDbsetNumber = xmlStr.indexOf("CDBSET");
if (cDbsetNumber > 0) {
list = paresDbsetElementToListList(reader);
}
else {
list = paresDbsetElementToList(reader);
}
//代码测试 已修改 新增if非空判断
if(reader!=null){
reader.close();
}
}
catch (Exception e) {
System.out.println("Can't resolve xml:" + xmlStr);
e.printStackTrace();
throw new Exception(xmlStr);
}
finally
{
try {
//代码测试 已修改 新增if非空判断
if(reader!=null){
reader.close();
}
}
catch (XMLStreamException e) {
e.printStackTrace();
}
}
return list;
}
