Index: trunk/src/org/openstreetmap/josm/data/CustomConfigurator.java =================================================================== --- trunk/src/org/openstreetmap/josm/data/CustomConfigurator.java (revision 10403) +++ trunk/src/org/openstreetmap/josm/data/CustomConfigurator.java (revision 10404) @@ -35,5 +35,4 @@ import javax.swing.SwingUtilities; import javax.xml.parsers.DocumentBuilder; -import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; import javax.xml.stream.XMLStreamException; @@ -269,10 +268,6 @@ try { String toXML = Main.pref.toXML(true); - InputStream is = new ByteArrayInputStream(toXML.getBytes(StandardCharsets.UTF_8)); - DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance(); - builderFactory.setValidating(false); - builderFactory.setNamespaceAware(false); - DocumentBuilder builder = builderFactory.newDocumentBuilder(); - document = builder.parse(is); + DocumentBuilder builder = Utils.newSafeDOMBuilder(); + document = builder.parse(new ByteArrayInputStream(toXML.getBytes(StandardCharsets.UTF_8))); exportDocument = builder.newDocument(); root = document.getDocumentElement(); @@ -465,9 +460,5 @@ public void openAndReadXML(InputStream is) { try { - DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance(); - builderFactory.setValidating(false); - builderFactory.setNamespaceAware(true); - DocumentBuilder builder = builderFactory.newDocumentBuilder(); - Document document = builder.parse(is); + Document document = Utils.parseSafeDOM(is); synchronized (CustomConfigurator.class) { processXML(document); Index: trunk/src/org/openstreetmap/josm/gui/oauth/TestAccessTokenTask.java =================================================================== --- trunk/src/org/openstreetmap/josm/gui/oauth/TestAccessTokenTask.java (revision 10403) +++ trunk/src/org/openstreetmap/josm/gui/oauth/TestAccessTokenTask.java (revision 10404) @@ -10,5 +10,4 @@ import javax.swing.JOptionPane; -import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; @@ -26,4 +25,5 @@ import org.openstreetmap.josm.tools.CheckParameterUtil; import org.openstreetmap.josm.tools.HttpClient; +import org.openstreetmap.josm.tools.Utils; import org.openstreetmap.josm.tools.XmlParsingException; import org.w3c.dom.Document; @@ -124,5 +124,5 @@ throw new OsmApiException(connection.getResponse().getResponseCode(), connection.getResponse().getHeaderField("Error"), null); - Document d = DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(connection.getResponse().getContent()); + Document d = Utils.parseSafeDOM(connection.getResponse().getContent()); return OsmServerUserInfoReader.buildFromXML(d); } catch (SAXException | ParserConfigurationException e) { Index: trunk/src/org/openstreetmap/josm/io/OsmServerUserInfoReader.java =================================================================== --- trunk/src/org/openstreetmap/josm/io/OsmServerUserInfoReader.java (revision 10403) +++ trunk/src/org/openstreetmap/josm/io/OsmServerUserInfoReader.java (revision 10404) @@ -9,5 +9,4 @@ import java.util.List; -import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; import javax.xml.xpath.XPath; @@ -20,4 +19,5 @@ import org.openstreetmap.josm.data.osm.UserInfo; import org.openstreetmap.josm.gui.progress.ProgressMonitor; +import org.openstreetmap.josm.tools.Utils; import org.openstreetmap.josm.tools.XmlParsingException; import org.openstreetmap.josm.tools.date.DateUtils; @@ -175,7 +175,5 @@ monitor.indeterminateSubTask(tr("Reading user info ...")); try (InputStream in = getInputStream("user/details", monitor.createSubTaskMonitor(1, true), reason)) { - return buildFromXML( - DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(in) - ); + return buildFromXML(Utils.parseSafeDOM(in)); } } catch (OsmTransferException e) { Index: trunk/src/org/openstreetmap/josm/io/imagery/WMSImagery.java =================================================================== --- trunk/src/org/openstreetmap/josm/io/imagery/WMSImagery.java (revision 10403) +++ trunk/src/org/openstreetmap/josm/io/imagery/WMSImagery.java (revision 10404) @@ -18,5 +18,4 @@ import javax.imageio.ImageIO; import javax.xml.parsers.DocumentBuilder; -import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; @@ -152,8 +151,5 @@ try { - DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance(); - builderFactory.setValidating(false); - builderFactory.setNamespaceAware(true); - DocumentBuilder builder = builderFactory.newDocumentBuilder(); + DocumentBuilder builder = Utils.newSafeDOMBuilder(); builder.setEntityResolver(new EntityResolver() { @Override Index: trunk/src/org/openstreetmap/josm/io/session/SessionReader.java =================================================================== --- trunk/src/org/openstreetmap/josm/io/session/SessionReader.java (revision 10403) +++ trunk/src/org/openstreetmap/josm/io/session/SessionReader.java (revision 10404) @@ -29,6 +29,4 @@ import javax.swing.JOptionPane; import javax.swing.SwingUtilities; -import javax.xml.parsers.DocumentBuilder; -import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; @@ -633,10 +631,5 @@ try { - DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance(); - builderFactory.setValidating(false); - builderFactory.setNamespaceAware(true); - DocumentBuilder builder = builderFactory.newDocumentBuilder(); - Document document = builder.parse(josIS); - parseJos(document, progressMonitor); + parseJos(Utils.parseSafeDOM(josIS), progressMonitor); } catch (SAXException e) { throw new IllegalDataException(e); Index: trunk/src/org/openstreetmap/josm/io/session/SessionWriter.java =================================================================== --- trunk/src/org/openstreetmap/josm/io/session/SessionWriter.java (revision 10403) +++ trunk/src/org/openstreetmap/josm/io/session/SessionWriter.java (revision 10404) @@ -19,5 +19,4 @@ import javax.xml.parsers.DocumentBuilder; -import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; import javax.xml.transform.OutputKeys; @@ -201,12 +200,9 @@ */ public Document createJosDocument() throws IOException { - DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance(); - builderFactory.setValidating(false); - builderFactory.setNamespaceAware(true); DocumentBuilder builder = null; try { - builder = builderFactory.newDocumentBuilder(); + builder = Utils.newSafeDOMBuilder(); } catch (ParserConfigurationException e) { - throw new RuntimeException(e); + throw new IOException(e); } Document doc = builder.newDocument(); Index: trunk/src/org/openstreetmap/josm/tools/Utils.java =================================================================== --- trunk/src/org/openstreetmap/josm/tools/Utils.java (revision 10403) +++ trunk/src/org/openstreetmap/josm/tools/Utils.java (revision 10404) @@ -64,4 +64,6 @@ import javax.xml.XMLConstants; +import javax.xml.parsers.DocumentBuilder; +import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; import javax.xml.parsers.SAXParser; @@ -70,4 +72,5 @@ import org.apache.commons.compress.compressors.bzip2.BZip2CompressorInputStream; import org.openstreetmap.josm.Main; +import org.w3c.dom.Document; import org.xml.sax.InputSource; import org.xml.sax.SAXException; @@ -1408,4 +1411,42 @@ } return null; + } + + /** + * Returns a new secure DOM builder, supporting XML namespaces. + * @return a new secure DOM builder, supporting XML namespaces + * @throws ParserConfigurationException if a parser cannot be created which satisfies the requested configuration. + * @throws ParserConfigurationException if a parser cannot be created which satisfies the requested configuration. + * @since 10404 + */ + public static DocumentBuilder newSafeDOMBuilder() throws ParserConfigurationException { + DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance(); + builderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + builderFactory.setNamespaceAware(true); + builderFactory.setValidating(false); + return builderFactory.newDocumentBuilder(); + } + + /** + * Parse the content given {@link InputStream} as XML. + * This method uses a secure DOM builder, supporting XML namespaces. + * + * @param is The InputStream containing the content to be parsed. + * @return the result DOM document + * @throws ParserConfigurationException if a parser cannot be created which satisfies the requested configuration. + * @throws IOException if any IO errors occur. + * @throws SAXException for SAX errors. + * @since 10404 + */ + public static Document parseSafeDOM(InputStream is) throws ParserConfigurationException, IOException, SAXException { + long start = System.currentTimeMillis(); + if (Main.isDebugEnabled()) { + Main.debug("Starting DOM parsing of " + is); + } + Document result = newSafeDOMBuilder().parse(is); + if (Main.isDebugEnabled()) { + Main.debug("DOM parsing done in " + getDurationString(System.currentTimeMillis() - start)); + } + return result; } Index: trunk/src/org/openstreetmap/josm/tools/bugreport/BugReportSender.java =================================================================== --- trunk/src/org/openstreetmap/josm/tools/bugreport/BugReportSender.java (revision 10403) +++ trunk/src/org/openstreetmap/josm/tools/bugreport/BugReportSender.java (revision 10404) @@ -18,6 +18,4 @@ import javax.swing.JPanel; import javax.swing.SwingUtilities; -import javax.xml.parsers.DocumentBuilder; -import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; import javax.xml.xpath.XPath; @@ -100,7 +98,5 @@ try (InputStream in = connection.getContent()) { - DocumentBuilder builder = DocumentBuilderFactory.newInstance().newDocumentBuilder(); - Document document = builder.parse(in); - return retrieveDebugToken(document); + return retrieveDebugToken(Utils.parseSafeDOM(in)); } } catch (IOException | SAXException | ParserConfigurationException | XPathExpressionException t) {