Package groovy.xml

Class FactorySupport

java.lang.Object
groovy.xml.FactorySupport

public class FactorySupport extends Object
Support class for creating hardened JAXP factories.

Every create* method returns a factory pre-configured to resist common XML attack vectors (XXE, billion laughs, external resource resolution). Overloads accepting flags let callers relax specific defaults when they legitimately need DOCTYPE support or external resource resolution.

  • Constructor Details

    • FactorySupport

      public FactorySupport()
  • Method Details

    • createDocumentBuilderFactory

      public static DocumentBuilderFactory createDocumentBuilderFactory() throws ParserConfigurationException
      Creates a new hardened DocumentBuilderFactory.

      Equivalent to createDocumentBuilderFactory(false): DOCTYPE declarations are rejected and XMLConstants.FEATURE_SECURE_PROCESSING is enabled. Pass true to createDocumentBuilderFactory(boolean) if DOCTYPE support is required.

      Note: prior to Groovy 6.0.0 this method returned a bare JDK factory with no hardening applied. Callers that previously parsed DOCTYPE-bearing documents through the returned factory must switch to createDocumentBuilderFactory(true).

      Returns:
      a newly created, hardened document builder factory
      Throws:
      ParserConfigurationException - if the factory cannot be created
    • createDocumentBuilderFactory

      public static DocumentBuilderFactory createDocumentBuilderFactory(boolean allowDocTypeDeclaration) throws ParserConfigurationException
      Creates a new hardened DocumentBuilderFactory.

      The returned factory has XMLConstants.FEATURE_SECURE_PROCESSING enabled, the Apache disallow-doctype-decl feature toggled according to the allowDocTypeDeclaration flag, XInclude disabled, and entity reference expansion disabled.

      Parameters:
      allowDocTypeDeclaration - whether DOCTYPE declarations are allowed in parsed documents (defaults should be false for untrusted input)
      Returns:
      a newly created, hardened document builder factory
      Throws:
      ParserConfigurationException - if the factory cannot be created
      Since:
      6.0.0
    • createSaxParserFactory

      public static SAXParserFactory createSaxParserFactory() throws ParserConfigurationException
      Creates a new hardened SAXParserFactory.

      Equivalent to createSaxParserFactory(false): DOCTYPE declarations are rejected and XMLConstants.FEATURE_SECURE_PROCESSING is enabled. Pass true to createSaxParserFactory(boolean) if DOCTYPE support is required.

      Note: prior to Groovy 6.0.0 this method returned a bare JDK factory with no hardening applied. Callers that previously parsed DOCTYPE-bearing documents through the returned factory must switch to createSaxParserFactory(true).

      Returns:
      a newly created, hardened SAX parser factory
      Throws:
      ParserConfigurationException - if the factory cannot be created
    • createSaxParserFactory

      public static SAXParserFactory createSaxParserFactory(boolean allowDocTypeDeclaration) throws ParserConfigurationException
      Creates a new hardened SAXParserFactory.

      The returned factory has XMLConstants.FEATURE_SECURE_PROCESSING enabled and the Apache disallow-doctype-decl feature toggled according to the allowDocTypeDeclaration flag.

      Parameters:
      allowDocTypeDeclaration - whether DOCTYPE declarations are allowed in parsed documents (defaults should be false for untrusted input)
      Returns:
      a newly created, hardened SAX parser factory
      Throws:
      ParserConfigurationException - if the factory cannot be created
      Since:
      6.0.0
    • createXMLInputFactory

      public static XMLInputFactory createXMLInputFactory()
      Creates a new hardened XMLInputFactory for StAX parsing.

      Equivalent to createXMLInputFactory(false): DTD support and external entity resolution are disabled.

      Returns:
      a newly created, hardened StAX input factory
      Since:
      6.0.0
    • createXMLInputFactory

      public static XMLInputFactory createXMLInputFactory(boolean allowDocTypeDeclaration)
      Creates a new hardened XMLInputFactory for StAX parsing.

      The returned factory disables external entity resolution unconditionally and toggles XMLInputFactory.SUPPORT_DTD according to the allowDocTypeDeclaration flag.

      Parameters:
      allowDocTypeDeclaration - whether DOCTYPE declarations are allowed in parsed documents (defaults should be false for untrusted input)
      Returns:
      a newly created, hardened StAX input factory
      Since:
      6.0.0
    • createTransformerFactory

      public static TransformerFactory createTransformerFactory(boolean allowDocTypeDeclaration, boolean allowExternalResources)
      Creates a new hardened TransformerFactory.

      The returned factory has XMLConstants.FEATURE_SECURE_PROCESSING enabled and the Apache disallow-doctype-decl feature toggled according to the allowDocTypeDeclaration flag. Access to external DTDs and stylesheets is blocked unless allowExternalResources is true.

      Parameters:
      allowDocTypeDeclaration - whether DOCTYPE declarations are allowed in transformed documents
      allowExternalResources - whether <xsl:import>/<xsl:include> may resolve external DTDs or stylesheets
      Returns:
      a newly created, hardened transformer factory
      Since:
      6.0.0
    • createSchemaFactory

      public static SchemaFactory createSchemaFactory(String schemaLanguage)
      Creates a new hardened SchemaFactory for the requested schema language.

      The returned factory has XMLConstants.FEATURE_SECURE_PROCESSING enabled, which by default already restricts resolution of external schemas and DTDs. That default can be widened by a global javax.xml.accessExternalSchema/javax.xml.accessExternalDTD system property or a jaxp.properties entry; if you need external access denied regardless of such global configuration, set XMLConstants.ACCESS_EXTERNAL_SCHEMA and XMLConstants.ACCESS_EXTERNAL_DTD to "" on the returned factory (a property set directly on the factory takes precedence over the global configuration).

      Parameters:
      schemaLanguage - the schema language URI (see XMLConstants)
      Returns:
      a newly created, hardened schema factory
      Since:
      6.0.0
    • createXPathFactory

      public static XPathFactory createXPathFactory()
      Creates a new hardened XPathFactory.

      The returned factory has XMLConstants.FEATURE_SECURE_PROCESSING enabled.

      Returns:
      a newly created, hardened XPath factory
      Since:
      6.0.0