fix: XSLT Injection(XSLT注入)

amos-boot-biz-common/src/main/java/com/yeejoin/amos/boot/biz/common/utils/WordConverterUtils.java

@@ -8,6 +8,7 @@ import org.apache.poi.hwpf.converter.WordToHtmlConverter;
 import org.springframework.web.multipart.MultipartFile;
 import org.springframework.web.multipart.commons.CommonsMultipartFile;
 
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.transform.OutputKeys;
 import javax.xml.transform.Transformer;
@@ -25,8 +26,8 @@ import java.net.URLConnection;
 public class WordConverterUtils {
 
 
-	
-	
+
+
     public static MultipartFile fileToMultipartFile(File file) {
         FileItem fileItem = createFileItem(file);
         MultipartFile multipartFile = new CommonsMultipartFile(fileItem);
@@ -48,26 +49,26 @@ public class WordConverterUtils {
         }
         return item;
     }
-	 
-	 
-    
-	 
-	 
+
+
+
+
+
    	/**
    	 * word文档转html文档
-   	 * 
+   	 *
    	 * @param srcFile    原文档
    	 * @param targetFile 目标文档
    	 * @param fileService   图片上传接口
    	 */
    	public static void wordToHtml(String srcFile, String targetFile, String imagePathStr,String readUrl,FileService fileService,String product,String appKey,String token ) {
-   		File html = new File(targetFile);		
+   		File html = new File(targetFile);
    		if ( html.exists()) {
    			return;
    		} else {
    			if (srcFile.endsWith(".doc")) {
    				docToHtml(  imagePathStr,readUrl,srcFile, html, fileService, product, appKey, token);
-   			} 
+   			}
 //   			else if (srcFile.endsWith(".docx")) {
 //   				docxToHtml(  imagePathStr,readUrl,srcFile, html, fileService, product, appKey, token);
 //   			}
@@ -76,7 +77,7 @@ public class WordConverterUtils {
 
    	/**
    	 * .doc文档转换成html
-   	 * 
+   	 *
    	 * @param srcFile    原文档
    	 * @param targetFile 目标文档
    	 * @param fileService   图片上传接口
@@ -87,7 +88,7 @@ public class WordConverterUtils {
    			File imagePath = new File(imagePathStr);
    			if (!imagePath.exists()) {
    				imagePath.mkdirs();
-   			}		
+   			}
    		    URL url = new URL(srcFile);
 	        //链接url
 	        URLConnection uc = url.openConnection();
@@ -117,6 +118,7 @@ public class WordConverterUtils {
 				DOMSource domSource = new DOMSource(htmlDocument);
 				StreamResult streamResult = new StreamResult(targetFile);
 				TransformerFactory tf = TransformerFactory.newInstance();
+				tf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
 				Transformer serializer = tf.newTransformer();
 				serializer.setOutputProperty(OutputKeys.ENCODING, "utf-8");
 				serializer.setOutputProperty(OutputKeys.INDENT, "yes");
@@ -145,27 +147,27 @@ public class WordConverterUtils {
 //   	 * @param fileService   图片上传接口
 //   	 */
 //   	private static void docxToHtml( String imagePathStr,String readUrl,String srcFile, File targetFile, FileService fileService,String product,String appKey,String token) {
-//   		
+//
 //   		File imagePath = new File(imagePathStr);
 //   		if (!imagePath.exists()) {
 //   			imagePath.mkdirs();
 //   		}
 //   	 OutputStream outputStreamWriter=null;
 //   		try {
-//   			
+//
 //   			URL url = new URL(srcFile);
 //	        //链接url
 //	        URLConnection uc = url.openConnection();
 //	        //获取输入流
 //	        InputStream in = uc.getInputStream();
-//   			XWPFDocument document = new XWPFDocument(in);   			
+//   			XWPFDocument document = new XWPFDocument(in);
 //   		   //存储图片
 //   			PdfOptions  options=PdfOptions.create();
 //
 //             outputStreamWriter=new FileOutputStream(targetFile);
 //   		     PdfConverter.getInstance().convert(document,outputStreamWriter,options);
 //
-//   			 
+//
 //   		} catch (Exception e) {
 //   			e.printStackTrace();
 //   		} finally {
@@ -176,8 +178,8 @@ public class WordConverterUtils {
 //   			} catch (Exception e2) {
 //   				e2.printStackTrace();
 //   			}
-//   
+//
 //   		}
-//   
+//
 //   	}
   }

amos-boot-module/amos-boot-module-api/amos-boot-module-equip-api/src/main/java/com/yeejoin/equipmanage/common/utils/WordConverterUtils.java

@@ -6,6 +6,7 @@ import org.apache.poi.xwpf.converter.xhtml.XHTMLConverter;
 import org.apache.poi.xwpf.converter.xhtml.XHTMLOptions;
 import org.apache.poi.xwpf.usermodel.XWPFDocument;
 
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.transform.OutputKeys;
 import javax.xml.transform.Transformer;
@@ -104,6 +105,7 @@ public class WordConverterUtils {
 			DOMSource domSource = new DOMSource(htmlDocument);
 			StreamResult streamResult = new StreamResult(targetFile);
 			TransformerFactory tf = TransformerFactory.newInstance();
+			tf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
 			Transformer serializer = tf.newTransformer();
 			serializer.setOutputProperty(OutputKeys.ENCODING, "utf-8");
 			serializer.setOutputProperty(OutputKeys.INDENT, "yes");
@@ -150,6 +152,7 @@ public class WordConverterUtils {
 			StringWriter stringWriter = new StringWriter();
 			StreamResult streamResult = new StreamResult(stringWriter);
 			TransformerFactory tf = TransformerFactory.newInstance();
+			tf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
 			Transformer serializer = tf.newTransformer();
 			serializer.setOutputProperty(OutputKeys.ENCODING, "utf-8");
 			serializer.setOutputProperty(OutputKeys.INDENT, "yes");

amos-boot-module/amos-boot-module-api/amos-boot-module-equip-api/src/main/java/com/yeejoin/equipmanage/common/utils/WordHtml.java

@@ -15,6 +15,7 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.w3c.dom.Document;
 
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.transform.*;
@@ -69,7 +70,7 @@ public class WordHtml implements AbstractHtml {
 
   /**
    * 将doc文档转换为html文件
-   * 
+   *
    * @param is 需要转换的doc文件
    * @param outPutFile 输出html文件的全路径
    * @throws TransformerException
@@ -119,6 +120,7 @@ public class WordHtml implements AbstractHtml {
       streamResult = new StreamResult(out);
 
       TransformerFactory tf = TransformerFactory.newInstance();
+      tf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
       // 创建执行从 Source 到 Result 的复制的新 Transformer。
       Transformer serializer = tf.newTransformer();
       serializer.setOutputProperty(OutputKeys.ENCODING, "UTF-8"); // 文件编码方式
@@ -191,8 +193,8 @@ public class WordHtml implements AbstractHtml {
       }
     }
   }
-  
-  
+
+
   public static void xml2Ttml(String docPath, String xsltPath, String hrmlPath){
       FileInputStream fis= null;
       FileInputStream fis1= null;
@@ -209,7 +211,9 @@ public class WordHtml implements AbstractHtml {
           //讲转换后的结果输出到 stm 中即 F:\123.html
           Result result=new StreamResult(stm);
           //根据XSL文件创建准个转换对象
-          Transformer transformer=TransformerFactory.newInstance().newTransformer(template);
+        TransformerFactory transformerFactory = TransformerFactory.newInstance();
+        transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+          Transformer transformer=transformerFactory.newTransformer(template);
           //处理xml进行交换
           transformer.transform(source, result);
       } catch (FileNotFoundException e) {

amos-boot-module/amos-boot-module-api/amos-boot-module-precontrol-api/src/main/java/com/yeejoin/precontrol/common/fileparser/product/html/ExcelHtml.java

@@ -8,6 +8,7 @@ import org.apache.poi.hssf.converter.ExcelToHtmlConverter;
 import org.apache.poi.hssf.usermodel.HSSFWorkbook;
 import org.w3c.dom.Document;
 
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.transform.OutputKeys;
 import javax.xml.transform.Transformer;
@@ -72,6 +73,7 @@ public class ExcelHtml implements AbstractHtml {
             StreamResult streamResult = new StreamResult(out);
 
             TransformerFactory tf = TransformerFactory.newInstance();
+            tf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
             Transformer serializer = tf.newTransformer();
             serializer.setOutputProperty(OutputKeys.ENCODING, "GB2312");
             serializer.setOutputProperty(OutputKeys.INDENT, "no");

amos-boot-module/amos-boot-module-api/amos-boot-module-precontrol-api/src/main/java/com/yeejoin/precontrol/common/fileparser/product/html/WordHtml.java

@@ -31,6 +31,7 @@ import org.springframework.web.multipart.commons.CommonsMultipartFile;
 import org.w3c.dom.Document;
 
 import javax.imageio.ImageIO;
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.transform.OutputKeys;
@@ -159,6 +160,7 @@ public class WordHtml implements AbstractHtml {
             out = new ByteArrayOutputStream();
             streamResult = new StreamResult(out);
             TransformerFactory tf = TransformerFactory.newInstance();
+            tf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
             // 创建执行从 Source 到 Result 的复制的新 Transformer。
             Transformer serializer = tf.newTransformer();
             serializer.setOutputProperty(OutputKeys.ENCODING, "UTF-8"); // 文件编码方式

amos-boot-module/amos-boot-module-api/amos-boot-module-precontrol-api/src/main/java/com/yeejoin/precontrol/common/utils/WordConverterUtils.java

@@ -6,6 +6,7 @@ import org.apache.poi.xwpf.converter.xhtml.XHTMLConverter;
 import org.apache.poi.xwpf.converter.xhtml.XHTMLOptions;
 import org.apache.poi.xwpf.usermodel.XWPFDocument;
 
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.transform.OutputKeys;
 import javax.xml.transform.Transformer;
@@ -103,6 +104,7 @@ public class WordConverterUtils {
             DOMSource domSource = new DOMSource(htmlDocument);
             StreamResult streamResult = new StreamResult(targetFile);
             TransformerFactory tf = TransformerFactory.newInstance();
+            tf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
             Transformer serializer = tf.newTransformer();
             serializer.setOutputProperty(OutputKeys.ENCODING, "utf-8");
             serializer.setOutputProperty(OutputKeys.INDENT, "yes");
@@ -149,6 +151,7 @@ public class WordConverterUtils {
             StringWriter stringWriter = new StringWriter();
             StreamResult streamResult = new StreamResult(stringWriter);
             TransformerFactory tf = TransformerFactory.newInstance();
+            tf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
             Transformer serializer = tf.newTransformer();
             serializer.setOutputProperty(OutputKeys.ENCODING, "utf-8");
             serializer.setOutputProperty(OutputKeys.INDENT, "yes");

amos-boot-module/amos-boot-module-api/amos-boot-module-precontrol-api/src/main/java/com/yeejoin/precontrol/common/utils/WordHtml.java

@@ -15,6 +15,7 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.w3c.dom.Document;
 
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.transform.*;
@@ -78,6 +79,7 @@ public class WordHtml implements AbstractHtml {
             out = new ByteArrayOutputStream();
             streamResult = new StreamResult(out);
             TransformerFactory tf = TransformerFactory.newInstance();
+            tf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
             // 创建执行从 Source 到 Result 的复制的新 Transformer。
             Transformer serializer = tf.newTransformer();
             serializer.setOutputProperty(OutputKeys.ENCODING, "UTF-8"); // 文件编码方式
@@ -161,7 +163,9 @@ public class WordHtml implements AbstractHtml {
             //讲转换后的结果输出到 stm 中即 F:\123.html
             Result result = new StreamResult(stm);
             //根据XSL文件创建准个转换对象
-            Transformer transformer = TransformerFactory.newInstance().newTransformer(template);
+            TransformerFactory transformerFactory = TransformerFactory.newInstance();
+            transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+            Transformer transformer = transformerFactory.newTransformer(template);
             //处理xml进行交换
             transformer.transform(source, result);
         } catch (FileNotFoundException e) {

amos-boot-module/amos-boot-module-biz/amos-boot-module-fas-biz/src/main/java/com/yeejoin/amos/fas/core/util/WordConverterUtils.java

@@ -6,6 +6,7 @@ import org.apache.poi.xwpf.converter.xhtml.XHTMLConverter;
 import org.apache.poi.xwpf.converter.xhtml.XHTMLOptions;
 import org.apache.poi.xwpf.usermodel.XWPFDocument;
 
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.transform.OutputKeys;
 import javax.xml.transform.Transformer;
@@ -104,6 +105,7 @@ public class WordConverterUtils {
 			DOMSource domSource = new DOMSource(htmlDocument);
 			StreamResult streamResult = new StreamResult(targetFile);
 			TransformerFactory tf = TransformerFactory.newInstance();
+			tf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
 			Transformer serializer = tf.newTransformer();
 			serializer.setOutputProperty(OutputKeys.ENCODING, "utf-8");
 			serializer.setOutputProperty(OutputKeys.INDENT, "yes");
@@ -150,6 +152,7 @@ public class WordConverterUtils {
 			StringWriter stringWriter = new StringWriter();
 			StreamResult streamResult = new StreamResult(stringWriter);
 			TransformerFactory tf = TransformerFactory.newInstance();
+			tf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
 			Transformer serializer = tf.newTransformer();
 			serializer.setOutputProperty(OutputKeys.ENCODING, "utf-8");
 			serializer.setOutputProperty(OutputKeys.INDENT, "yes");

amos-boot-module/amos-boot-module-biz/amos-boot-module-fas-biz/src/main/java/org/apache/poi/hwpf/converter/WordToHtmlConverter.java

@@ -29,6 +29,7 @@ import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 import org.w3c.dom.Text;
 
+import javax.xml.XMLConstants;
 import javax.xml.transform.OutputKeys;
 import javax.xml.transform.Transformer;
 import javax.xml.transform.TransformerFactory;
@@ -46,7 +47,7 @@ import static org.apache.poi.hwpf.converter.AbstractWordUtils.TWIPS_PER_INCH;
  * This implementation doesn't create images or links to them. This can be
  * changed by overriding {@link #processImage(Element, boolean, Picture)}
  * method.
- * 
+ *
  * @author Sergey Vladimirov (vlsergey {at} gmail {dot} com)
  */
 @Beta
@@ -71,7 +72,7 @@ public class WordToHtmlConverter extends AbstractWordConverter
     private static final POILogger logger = POILogFactory
             .getLogger( WordToHtmlConverter.class );
 
-    
+
     private static String getSectionStyle( Section section )
     {
         float leftMargin = section.getMarginLeft() / TWIPS_PER_INCH;
@@ -101,7 +102,7 @@ public class WordToHtmlConverter extends AbstractWordConverter
 
     /**
      * Java main() interface to interact with {@link WordToHtmlConverter}
-     * 
+     *
      * <p>
      * Usage: WordToHtmlConverter infile outfile
      * </p>
@@ -126,6 +127,7 @@ public class WordToHtmlConverter extends AbstractWordConverter
         StreamResult streamResult = new StreamResult( new File(args[1]) );
 
         TransformerFactory tf = TransformerFactory.newInstance();
+        tf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
         Transformer serializer = tf.newTransformer();
         // TODO set encoding from a command argument
         serializer.setOutputProperty( OutputKeys.ENCODING, "UTF-8" );
@@ -153,7 +155,7 @@ public class WordToHtmlConverter extends AbstractWordConverter
     /**
      * Creates new instance of {@link WordToHtmlConverter}. Can be used for
      * output several {@link HWPFDocument}s into single HTML document.
-     * 
+     *
      * @param document
      *            XML DOM Document used as HTML document
      */
@@ -577,7 +579,7 @@ public class WordToHtmlConverter extends AbstractWordConverter
         if(paragraph.getStyleIndex()>0){
         	pElement.setAttribute("id", "p"+System.nanoTime()%100000000+"-"+paragraph.getStyleIndex());
         }
-        
+
         WordToHtmlUtils.compactSpans( pElement );
         return;
     }

amos-boot-module/amos-boot-module-biz/amos-boot-module-latentdanger-biz/src/main/java/com/yeejoin/amos/latentdanger/business/util/WordHtml.java

@@ -15,6 +15,7 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.w3c.dom.Document;
 
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.transform.*;
@@ -69,7 +70,7 @@ public class WordHtml implements AbstractHtml {
 
   /**
    * 将doc文档转换为html文件
-   * 
+   *
    * @param fileName 需要转换的doc文件
    * @param outPutFile 输出html文件的全路径
    * @throws TransformerException
@@ -118,6 +119,7 @@ public class WordHtml implements AbstractHtml {
       streamResult = new StreamResult(out);
 
       TransformerFactory tf = TransformerFactory.newInstance();
+      tf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
       // 创建执行从 Source 到 Result 的复制的新 Transformer。
       Transformer serializer = tf.newTransformer();
       serializer.setOutputProperty(OutputKeys.ENCODING, "UTF-8"); // 文件编码方式
@@ -190,8 +192,8 @@ public class WordHtml implements AbstractHtml {
       }
     }
   }
-  
-  
+
+
   public static void xml2Ttml(String docPath, String xsltPath, String hrmlPath){
       FileInputStream fis= null;
       FileInputStream fis1= null;
@@ -208,7 +210,9 @@ public class WordHtml implements AbstractHtml {
           //讲转换后的结果输出到 stm 中即 F:\123.html
           Result result=new StreamResult(stm);
           //根据XSL文件创建准个转换对象
-          Transformer transformer=TransformerFactory.newInstance().newTransformer(template);
+        TransformerFactory transformerFactory = TransformerFactory.newInstance();
+        transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+        Transformer transformer= transformerFactory.newTransformer(template);
           //处理xml进行交换
           transformer.transform(source, result);
       } catch (FileNotFoundException e) {

amos-boot-module/amos-boot-module-biz/amos-boot-module-maintenance-biz/src/main/java/com/yeejoin/amos/maintenance/business/controller/CheckController.java

@@ -40,6 +40,7 @@ import org.typroject.tyboot.core.restful.utils.ResponseHelper;
 import org.typroject.tyboot.core.restful.utils.ResponseModel;
 
 import javax.servlet.http.HttpServletResponse;
+import javax.xml.XMLConstants;
 import javax.xml.transform.*;
 import javax.xml.transform.stream.StreamResult;
 import javax.xml.transform.stream.StreamSource;
@@ -387,7 +388,9 @@ public class CheckController extends AbstractBaseController {
             }
 
             Result result = new StreamResult(html);
-            Transformer transformer = TransformerFactory.newInstance().newTransformer(template);
+            TransformerFactory transformerFactory = TransformerFactory.newInstance();
+            transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+            Transformer transformer = transformerFactory.newTransformer(template);
 
             transformer.transform(source, result);
 

amos-boot-module/amos-boot-module-biz/amos-boot-module-maintenance-biz/src/main/java/com/yeejoin/amos/maintenance/business/controller/TaskController.java

@@ -39,6 +39,7 @@ import org.typroject.tyboot.core.foundation.enumeration.UserType;
 import org.typroject.tyboot.core.restful.doc.TycloudOperation;
 
 import javax.servlet.http.HttpServletResponse;
+import javax.xml.XMLConstants;
 import javax.xml.transform.*;
 import javax.xml.transform.stream.StreamResult;
 import javax.xml.transform.stream.StreamSource;
@@ -194,7 +195,9 @@ public class TaskController extends AbstractBaseController{
 	        }
 
 	        Result result=new StreamResult(html);
-	        Transformer transformer  =TransformerFactory.newInstance().newTransformer(template);
+			 TransformerFactory transformerFactory = TransformerFactory.newInstance();
+			 transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+			 Transformer transformer  = transformerFactory.newTransformer(template);
 			transformer.transform(source, result);
 
 			File htmlFile = new File(html);

amos-boot-module/amos-boot-module-biz/amos-boot-module-maintenance-biz/src/main/java/com/yeejoin/amos/maintenance/business/util/WordHtml.java

@@ -15,6 +15,7 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.w3c.dom.Document;
 
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.transform.*;
@@ -69,7 +70,7 @@ public class WordHtml implements AbstractHtml {
 
   /**
    * 将doc文档转换为html文件
-   * 
+   *
    * @param fileName 需要转换的doc文件
    * @param outPutFile 输出html文件的全路径
    * @throws TransformerException
@@ -118,6 +119,7 @@ public class WordHtml implements AbstractHtml {
       streamResult = new StreamResult(out);
 
       TransformerFactory tf = TransformerFactory.newInstance();
+      tf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
       // 创建执行从 Source 到 Result 的复制的新 Transformer。
       Transformer serializer = tf.newTransformer();
       serializer.setOutputProperty(OutputKeys.ENCODING, "UTF-8"); // 文件编码方式
@@ -190,8 +192,8 @@ public class WordHtml implements AbstractHtml {
       }
     }
   }
-  
-  
+
+
   public static void xml2Ttml(String docPath, String xsltPath, String hrmlPath){
       FileInputStream fis= null;
       FileInputStream fis1= null;
@@ -208,7 +210,9 @@ public class WordHtml implements AbstractHtml {
           //讲转换后的结果输出到 stm 中即 F:\123.html
           Result result=new StreamResult(stm);
           //根据XSL文件创建准个转换对象
-          Transformer transformer=TransformerFactory.newInstance().newTransformer(template);
+        TransformerFactory transformerFactory = TransformerFactory.newInstance();
+        transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+        Transformer transformer= transformerFactory.newTransformer(template);
           //处理xml进行交换
           transformer.transform(source, result);
       } catch (FileNotFoundException e) {

amos-boot-module/amos-boot-module-biz/amos-boot-module-patrol-biz/src/main/java/com/yeejoin/amos/patrol/business/controller/CheckController.java

@@ -48,6 +48,7 @@ import org.typroject.tyboot.core.foundation.enumeration.UserType;
 import org.typroject.tyboot.core.restful.doc.TycloudOperation;
 
 import javax.servlet.http.HttpServletResponse;
+import javax.xml.XMLConstants;
 import javax.xml.transform.*;
 import javax.xml.transform.stream.StreamResult;
 import javax.xml.transform.stream.StreamSource;
@@ -869,7 +870,9 @@ public class CheckController extends AbstractBaseController {
             }
 
             Result result = new StreamResult(html);
-            Transformer transformer = TransformerFactory.newInstance().newTransformer(template);
+            TransformerFactory transformerFactory = TransformerFactory.newInstance();
+            transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+            Transformer transformer = transformerFactory.newTransformer(template);
 
             transformer.transform(source, result);
 

amos-boot-module/amos-boot-module-biz/amos-boot-module-patrol-biz/src/main/java/com/yeejoin/amos/patrol/business/controller/TaskController.java

@@ -40,6 +40,7 @@ import org.typroject.tyboot.core.foundation.enumeration.UserType;
 import org.typroject.tyboot.core.restful.doc.TycloudOperation;
 
 import javax.servlet.http.HttpServletResponse;
+import javax.xml.XMLConstants;
 import javax.xml.transform.*;
 import javax.xml.transform.stream.StreamResult;
 import javax.xml.transform.stream.StreamSource;
@@ -195,7 +196,9 @@ public class TaskController extends AbstractBaseController{
 	        }
 
 	        Result result=new StreamResult(html);
-	        Transformer transformer  =TransformerFactory.newInstance().newTransformer(template);
+			 TransformerFactory transformerFactory = TransformerFactory.newInstance();
+			 transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+	        Transformer transformer  = transformerFactory.newTransformer(template);
 			transformer.transform(source, result);
 
 			File htmlFile = new File(html);

amos-boot-module/amos-boot-module-biz/amos-boot-module-patrol-biz/src/main/java/com/yeejoin/amos/patrol/business/util/WordHtml.java

@@ -15,6 +15,7 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.w3c.dom.Document;
 
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.transform.*;
@@ -69,7 +70,7 @@ public class WordHtml implements AbstractHtml {
 
   /**
    * 将doc文档转换为html文件
-   * 
+   *
    * @param fileName 需要转换的doc文件
    * @param outPutFile 输出html文件的全路径
    * @throws TransformerException
@@ -118,6 +119,7 @@ public class WordHtml implements AbstractHtml {
       streamResult = new StreamResult(out);
 
       TransformerFactory tf = TransformerFactory.newInstance();
+      tf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
       // 创建执行从 Source 到 Result 的复制的新 Transformer。
       Transformer serializer = tf.newTransformer();
       serializer.setOutputProperty(OutputKeys.ENCODING, "UTF-8"); // 文件编码方式
@@ -190,8 +192,8 @@ public class WordHtml implements AbstractHtml {
       }
     }
   }
-  
-  
+
+
   public static void xml2Ttml(String docPath, String xsltPath, String hrmlPath){
       FileInputStream fis= null;
       FileInputStream fis1= null;
@@ -204,11 +206,13 @@ public class WordHtml implements AbstractHtml {
           fis1 = new FileInputStream(xsltPath);
           Source template=new StreamSource(fis1);
 
-          PrintStream stm=new PrintStream(new File(hrmlPath));
+          PrintStream stm=new PrintStream(hrmlPath);
           //讲转换后的结果输出到 stm 中即 F:\123.html
           Result result=new StreamResult(stm);
           //根据XSL文件创建准个转换对象
-          Transformer transformer=TransformerFactory.newInstance().newTransformer(template);
+        TransformerFactory transformerFactory = TransformerFactory.newInstance();
+        transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+        Transformer transformer= transformerFactory.newTransformer(template);
           //处理xml进行交换
           transformer.transform(source, result);
       } catch (FileNotFoundException e) {

amos-boot-module/amos-boot-module-biz/amos-boot-module-supervision-biz/src/main/java/com/yeejoin/amos/supervision/business/controller/CheckController.java

@@ -46,6 +46,7 @@ import org.typroject.tyboot.core.restful.utils.ResponseHelper;
 import org.typroject.tyboot.core.restful.utils.ResponseModel;
 
 import javax.servlet.http.HttpServletResponse;
+import javax.xml.XMLConstants;
 import javax.xml.transform.*;
 import javax.xml.transform.stream.StreamResult;
 import javax.xml.transform.stream.StreamSource;
@@ -420,7 +421,9 @@ public class CheckController extends AbstractBaseController {
             }
 
             Result result = new StreamResult(html);
-            Transformer transformer = TransformerFactory.newInstance().newTransformer(template);
+            TransformerFactory transformerFactory = TransformerFactory.newInstance();
+            transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+            Transformer transformer = transformerFactory.newTransformer(template);
 
             transformer.transform(source, result);
 

amos-boot-module/amos-boot-module-biz/amos-boot-module-supervision-biz/src/main/java/com/yeejoin/amos/supervision/business/controller/TaskController.java

@@ -39,6 +39,7 @@ import org.typroject.tyboot.core.foundation.enumeration.UserType;
 import org.typroject.tyboot.core.restful.doc.TycloudOperation;
 
 import javax.servlet.http.HttpServletResponse;
+import javax.xml.XMLConstants;
 import javax.xml.transform.*;
 import javax.xml.transform.stream.StreamResult;
 import javax.xml.transform.stream.StreamSource;
@@ -193,9 +194,11 @@ public class TaskController extends AbstractBaseController{
 	        	dirFile.mkdirs();
 	        }
 
-	        Result result=new StreamResult(html);
-	        Transformer transformer  =TransformerFactory.newInstance().newTransformer(template);
-			transformer.transform(source, result);
+			 Result result = new StreamResult(html);
+			 TransformerFactory transformerFactory = TransformerFactory.newInstance();
+			 transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+			 Transformer transformer = transformerFactory.newTransformer(template);
+			 transformer.transform(source, result);
 
 			File htmlFile = new File(html);
 			FileInputStream fis = new FileInputStream(htmlFile);

amos-boot-module/amos-boot-module-biz/amos-boot-module-supervision-biz/src/main/java/com/yeejoin/amos/supervision/business/util/WordHtml.java

@@ -15,6 +15,7 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.w3c.dom.Document;
 
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.transform.*;
@@ -69,7 +70,7 @@ public class WordHtml implements AbstractHtml {
 
   /**
    * 将doc文档转换为html文件
-   * 
+   *
    * @param fileName 需要转换的doc文件
    * @param outPutFile 输出html文件的全路径
    * @throws TransformerException
@@ -118,6 +119,7 @@ public class WordHtml implements AbstractHtml {
       streamResult = new StreamResult(out);
 
       TransformerFactory tf = TransformerFactory.newInstance();
+      tf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
       // 创建执行从 Source 到 Result 的复制的新 Transformer。
       Transformer serializer = tf.newTransformer();
       serializer.setOutputProperty(OutputKeys.ENCODING, "UTF-8"); // 文件编码方式
@@ -190,8 +192,8 @@ public class WordHtml implements AbstractHtml {
       }
     }
   }
-  
-  
+
+
   public static void xml2Ttml(String docPath, String xsltPath, String hrmlPath){
       FileInputStream fis= null;
       FileInputStream fis1= null;
@@ -208,7 +210,9 @@ public class WordHtml implements AbstractHtml {
           //讲转换后的结果输出到 stm 中即 F:\123.html
           Result result=new StreamResult(stm);
           //根据XSL文件创建准个转换对象
-          Transformer transformer=TransformerFactory.newInstance().newTransformer(template);
+        TransformerFactory transformerFactory = TransformerFactory.newInstance();
+        transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+        Transformer transformer= transformerFactory.newTransformer(template);
           //处理xml进行交换
           transformer.transform(source, result);
       } catch (FileNotFoundException e) {