commit af39ebe62ea722630a1d7fcfb85c04a78be05cb9
author Marc Kupietz <kupietz@ids-mannheim.de> Tue Nov 18 06:07:57 2025 +0100
committer Marc Kupietz <kupietz@ids-mannheim.de> Tue Nov 18 06:07:57 2025 +0100
tree cfc4ad6fb3b3761fa5fc091fbaf6ee483b2ff20c
parent 5b16f657e16c7d1a8a2161a0472484bcc9e0cf7b

Disable expensive XML security features

Change-Id: Ia5697d801802e4cbd256f3cef6b901ff86b7904c

app/src/main/kotlin/de/ids_mannheim/korapxmltools/KorapXmlTool.kt

diff --git a/app/src/main/kotlin/de/ids_mannheim/korapxmltools/KorapXmlTool.kt b/app/src/main/kotlin/de/ids_mannheim/korapxmltools/KorapXmlTool.kt
index 95fd2aa..8708dd8 100644
--- a/app/src/main/kotlin/de/ids_mannheim/korapxmltools/KorapXmlTool.kt
+++ b/app/src/main/kotlin/de/ids_mannheim/korapxmltools/KorapXmlTool.kt
@@ -649,6 +649,18 @@
     var krillTarOutputStream: TarArchiveOutputStream? = null
     var krillOutputFileName: String? = null
 
+    // Fast DocumentBuilderFactory without security features (safe for trusted input)
+    private val fastDomFactory: DocumentBuilderFactory by lazy {
+        DocumentBuilderFactory.newInstance().apply {
+            isNamespaceAware = false
+            isValidating = false
+            // Disable expensive security features for performance (corpus XML is trusted)
+            trySetFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false)
+            trySetFeature("http://xml.org/sax/features/external-general-entities", false)
+            trySetFeature("http://xml.org/sax/features/external-parameter-entities", false)
+        }
+    }
+
     // Thread-local DocumentBuilder pool for parallel processing
     private val threadLocalBuilder: ThreadLocal<DocumentBuilder> = ThreadLocal.withInitial {
         fastDomFactory.newDocumentBuilder()