Home/ Questions/Q 8191451
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-07T03:55:22+00:00

I need to fix the code below for XML Data Injection. DocumentBuilderFactory factory =

  • 0

I need to fix the code below for XML Data Injection.

DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
DocumentBuilder db = factory.newDocumentBuilder();
InputSource inStream = new InputSource();
inStream.setCharacterStream(new StringReader(xmlFromWebService));
Document doc = db.parse(inStream);   // reported at this line by a code audit tool
doc.getDocumentElement().normalize();

How to fix it? Do anyone have any suggestions.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I’m guessing that this has to do with validation of your XML against a given XSD to prevent XML Data Injection. I would suggest modifying your code like this:

    try {
  DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
  factory.setNamespaceAware( true);
  factory.setValidating( true);

  factory.setProperty( "http://java.sun.com/xml/jaxp/properties/schemaLanguage", 
                       "http://www.w3.org/2001/XMLSchema");
  factory.setProperty( "http://java.sun.com/xml/jaxp/properties/schemaSource", 
                       "file:<your_xsd_file>");

  DocumentBuilder builder = factory.newDocumentBuilder();
  InputSource inStream = new InputSource();
  inStream.setCharacterStream(new StringReader(xmlFromWebService));
  Document document = builder.parse(inStream);

} catch ( ParserConfigurationException e) {
  e.printStackTrace();
} catch ( SAXException e) {
  e.printStackTrace();
} catch ( IOException e) {
  e.printStackTrace();
}

    I hope you get the hint!

    • 0