From f8c6188f6c8d418b35db2d0764d39f9d7085ee7c Mon Sep 17 00:00:00 2001
From: pwddd <138374591+pwddd@users.noreply.github.com>
Date: Fri, 30 May 2025 11:28:28 +0800
Subject: [PATCH] Potential fix for code scanning alert no. 100: Resolving XML
 external entity in user-controlled data

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 src/main/java/org/joychou/controller/XXE.java | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/main/java/org/joychou/controller/XXE.java b/src/main/java/org/joychou/controller/XXE.java
index 58e90739..4e13ec68 100644
--- a/src/main/java/org/joychou/controller/XXE.java
+++ b/src/main/java/org/joychou/controller/XXE.java
@@ -348,6 +348,9 @@ public String XMLReaderVuln(HttpServletRequest request) {
             SAXParserFactory spf = SAXParserFactory.newInstance();
             SAXParser saxParser = spf.newSAXParser();
             XMLReader xmlReader = saxParser.getXMLReader();
+            xmlReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+            xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", false);
+            xmlReader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
             xmlReader.parse(new InputSource(new StringReader(body)));
 
         } catch (Exception e) {