ICU-22888 Configure XML processors / external DTDs

Author: mihnita

icu4j/tools/build/src/main/java/com/ibm/icu/dev/tool/coverage/JacocoReportCheck.java

@@ -142,13 +142,20 @@ public static void main(String... args) {
     private static Map<String, ReportEntry> parseReport(File reportXmlFile) {
         try {
             Map<String, ReportEntry> entries = new TreeMap<String, ReportEntry>();
-            DocumentBuilder docBuilder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
+            DocumentBuilderFactory dfactory = DocumentBuilderFactory.newInstance();
+            dfactory.setNamespaceAware(true);
+            dfactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+            dfactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+            dfactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+            dfactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+            DocumentBuilder docBuilder = dfactory.newDocumentBuilder();
             docBuilder.setEntityResolver(new EntityResolver() {
                 // Ignores JaCoCo report DTD
                 public InputSource resolveEntity(String publicId, String systemId) {
                     return new InputSource(new StringReader(""));
                 }
             });
+
             Document doc = docBuilder.parse(reportXmlFile);
             NodeList nodes = doc.getElementsByTagName("report");
             for (int idx = 0; idx < nodes.getLength(); idx++) {
@@ -384,5 +391,4 @@ Method method() {
             return method;
         }
     }
-
 }

icu4j/tools/misc/src/main/java/com/ibm/icu/dev/tool/localeconverter/XLIFF2ICUConverter.java

@@ -20,6 +20,7 @@
 import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.validation.Schema;
 import javax.xml.validation.SchemaFactory;
 
@@ -408,6 +409,10 @@ private void createRB(String xmlfileName) {
         String urls = filenameToURL(xmlfileName);
         DocumentBuilderFactory dfactory = DocumentBuilderFactory.newInstance();
         dfactory.setNamespaceAware(true);
+        trySettingFeature(dfactory, "http://apache.org/xml/features/disallow-doctype-decl", true);
+        trySettingFeature(dfactory, "http://xml.org/sax/features/external-general-entities", false);
+        trySettingFeature(dfactory, "http://xml.org/sax/features/external-parameter-entities", false);
+        trySettingFeature(dfactory, "http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
         Document doc = null;
 
         if (xliff10) {
@@ -416,6 +421,8 @@ private void createRB(String xmlfileName) {
         } else {
             try {
                 SchemaFactory schemaFactory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
+                schemaFactory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+                schemaFactory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
                 Schema schema = schemaFactory.newSchema();
 
                 dfactory.setSchema(schema);
@@ -1303,4 +1310,13 @@ private  void writeBOM(OutputStream buffer) {
             System.exit(1);
         }
     }
+
+    private static void trySettingFeature(DocumentBuilderFactory dfactory, String name, boolean value) {
+        try {
+            dfactory.setFeature(name, value);
+        } catch (ParserConfigurationException e) {
+            e.printStackTrace();
+            System.exit(1);
+        }
+    }
 }