try { xr.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); } catch (SAXException sae) { throw new MyException("SAXException occurred while setting the secure parsing flag", sae); }
xr.parse(f.getAbsolutePath());
And the exception is:
Caused by: org.xml.sax.SAXNotRecognizedException: Feature 'http://javax.xml.XMLConstants/feature/secure-processing' is not recognized. at org.apache.xerces.parsers.AbstractSAXParser.setFeature(AbstractSAXParser.java:1654) at __redirected.__XMLReaderFactory.setFeature(__XMLReaderFactory.java:132) at ch.adnovum.appweb3.common.util.MyHandler.parse(MyHandler.java:95)
I suggest that the Sonar description should mention that this feature is not supported by all parsers.
Since this is a runtime exception, it normally only happens when you have automated tests or when a user really uses the part of the source code. So this might lead to serious bugs being introduced by eager developers trying to fix Sonar violations.
The second solution (disabling DTD) does not work across methods
Disabling DTD worked when setting the feature is in the same method as the parse() call (as in the code example above).
However, when I refactor the code and set the feature in a separate method, the Sonar rule does not notice this, e.g. like this:
private XMLReader setupXmlReader() {
XMLReader xr = XMLParserHelper.createXmlReader();
xr.setContentHandler(this);
xr.setEntityResolver(this);
try {
xr.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
}
catch (SAXException sae) {
throw new MyException("SAXException occurred while setting the secure parsing flag", sae);
}
return xr;
}
Now calling parse() is a another method will still result in a Sonar issue, although DTD is disabled!
Regards,
Dominik
--
You received this message because you are subscribed to the Google Groups "SonarQube" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sonarqube+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/d94ec2ff-0cd9-4846-a131-672e2087d555%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.