fix: XSLT Injection(XSLT注入)

amos-boot-biz-common/src/main/java/com/yeejoin/amos/boot/biz/common/utils/WordConverterUtils.java

@@ -8,6 +8,7 @@ import org.apache.poi.hwpf.converter.WordToHtmlConverter;
 import org.springframework.web.multipart.MultipartFile;
 import org.springframework.web.multipart.commons.CommonsMultipartFile;
 
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.transform.OutputKeys;
 import javax.xml.transform.Transformer;
@@ -117,6 +118,7 @@ public class WordConverterUtils {
 				DOMSource domSource = new DOMSource(htmlDocument);
 				StreamResult streamResult = new StreamResult(targetFile);
 				TransformerFactory tf = TransformerFactory.newInstance();
+				tf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
 				Transformer serializer = tf.newTransformer();
 				serializer.setOutputProperty(OutputKeys.ENCODING, "utf-8");
 				serializer.setOutputProperty(OutputKeys.INDENT, "yes");

amos-boot-module/amos-boot-module-api/amos-boot-module-equip-api/src/main/java/com/yeejoin/equipmanage/common/utils/WordConverterUtils.java

@@ -6,6 +6,7 @@ import org.apache.poi.xwpf.converter.xhtml.XHTMLConverter;
 import org.apache.poi.xwpf.converter.xhtml.XHTMLOptions;
 import org.apache.poi.xwpf.usermodel.XWPFDocument;
 
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.transform.OutputKeys;
 import javax.xml.transform.Transformer;
@@ -104,6 +105,7 @@ public class WordConverterUtils {
 			DOMSource domSource = new DOMSource(htmlDocument);
 			StreamResult streamResult = new StreamResult(targetFile);
 			TransformerFactory tf = TransformerFactory.newInstance();
+			tf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
 			Transformer serializer = tf.newTransformer();
 			serializer.setOutputProperty(OutputKeys.ENCODING, "utf-8");
 			serializer.setOutputProperty(OutputKeys.INDENT, "yes");
@@ -150,6 +152,7 @@ public class WordConverterUtils {
 			StringWriter stringWriter = new StringWriter();
 			StreamResult streamResult = new StreamResult(stringWriter);
 			TransformerFactory tf = TransformerFactory.newInstance();
+			tf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
 			Transformer serializer = tf.newTransformer();
 			serializer.setOutputProperty(OutputKeys.ENCODING, "utf-8");
 			serializer.setOutputProperty(OutputKeys.INDENT, "yes");

amos-boot-module/amos-boot-module-api/amos-boot-module-equip-api/src/main/java/com/yeejoin/equipmanage/common/utils/WordHtml.java

@@ -15,6 +15,7 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.w3c.dom.Document;
 
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.transform.*;
@@ -119,6 +120,7 @@ public class WordHtml implements AbstractHtml {
       streamResult = new StreamResult(out);
 
       TransformerFactory tf = TransformerFactory.newInstance();
+      tf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
       // 创建执行从 Source 到 Result 的复制的新 Transformer。
       Transformer serializer = tf.newTransformer();
       serializer.setOutputProperty(OutputKeys.ENCODING, "UTF-8"); // 文件编码方式
@@ -209,7 +211,9 @@ public class WordHtml implements AbstractHtml {
           //讲转换后的结果输出到 stm 中即 F:\123.html
           Result result=new StreamResult(stm);
           //根据XSL文件创建准个转换对象
-          Transformer transformer=TransformerFactory.newInstance().newTransformer(template);
+        TransformerFactory transformerFactory = TransformerFactory.newInstance();
+        transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+          Transformer transformer=transformerFactory.newTransformer(template);
           //处理xml进行交换
           transformer.transform(source, result);
       } catch (FileNotFoundException e) {

amos-boot-module/amos-boot-module-api/amos-boot-module-precontrol-api/src/main/java/com/yeejoin/precontrol/common/fileparser/product/html/ExcelHtml.java

@@ -8,6 +8,7 @@ import org.apache.poi.hssf.converter.ExcelToHtmlConverter;
 import org.apache.poi.hssf.usermodel.HSSFWorkbook;
 import org.w3c.dom.Document;
 
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.transform.OutputKeys;
 import javax.xml.transform.Transformer;
@@ -72,6 +73,7 @@ public class ExcelHtml implements AbstractHtml {
             StreamResult streamResult = new StreamResult(out);
 
             TransformerFactory tf = TransformerFactory.newInstance();
+            tf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
             Transformer serializer = tf.newTransformer();
             serializer.setOutputProperty(OutputKeys.ENCODING, "GB2312");
             serializer.setOutputProperty(OutputKeys.INDENT, "no");

amos-boot-module/amos-boot-module-api/amos-boot-module-precontrol-api/src/main/java/com/yeejoin/precontrol/common/fileparser/product/html/WordHtml.java

@@ -31,6 +31,7 @@ import org.springframework.web.multipart.commons.CommonsMultipartFile;
 import org.w3c.dom.Document;
 
 import javax.imageio.ImageIO;
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.transform.OutputKeys;
@@ -159,6 +160,7 @@ public class WordHtml implements AbstractHtml {
             out = new ByteArrayOutputStream();
             streamResult = new StreamResult(out);
             TransformerFactory tf = TransformerFactory.newInstance();
+            tf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
             // 创建执行从 Source 到 Result 的复制的新 Transformer。
             Transformer serializer = tf.newTransformer();
             serializer.setOutputProperty(OutputKeys.ENCODING, "UTF-8"); // 文件编码方式

amos-boot-module/amos-boot-module-api/amos-boot-module-precontrol-api/src/main/java/com/yeejoin/precontrol/common/utils/WordConverterUtils.java

@@ -6,6 +6,7 @@ import org.apache.poi.xwpf.converter.xhtml.XHTMLConverter;
 import org.apache.poi.xwpf.converter.xhtml.XHTMLOptions;
 import org.apache.poi.xwpf.usermodel.XWPFDocument;
 
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.transform.OutputKeys;
 import javax.xml.transform.Transformer;
@@ -103,6 +104,7 @@ public class WordConverterUtils {
             DOMSource domSource = new DOMSource(htmlDocument);
             StreamResult streamResult = new StreamResult(targetFile);
             TransformerFactory tf = TransformerFactory.newInstance();
+            tf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
             Transformer serializer = tf.newTransformer();
             serializer.setOutputProperty(OutputKeys.ENCODING, "utf-8");
             serializer.setOutputProperty(OutputKeys.INDENT, "yes");
@@ -149,6 +151,7 @@ public class WordConverterUtils {
             StringWriter stringWriter = new StringWriter();
             StreamResult streamResult = new StreamResult(stringWriter);
             TransformerFactory tf = TransformerFactory.newInstance();
+            tf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
             Transformer serializer = tf.newTransformer();
             serializer.setOutputProperty(OutputKeys.ENCODING, "utf-8");
             serializer.setOutputProperty(OutputKeys.INDENT, "yes");

amos-boot-module/amos-boot-module-api/amos-boot-module-precontrol-api/src/main/java/com/yeejoin/precontrol/common/utils/WordHtml.java

@@ -15,6 +15,7 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.w3c.dom.Document;
 
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.transform.*;
@@ -78,6 +79,7 @@ public class WordHtml implements AbstractHtml {
             out = new ByteArrayOutputStream();
             streamResult = new StreamResult(out);
             TransformerFactory tf = TransformerFactory.newInstance();
+            tf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
             // 创建执行从 Source 到 Result 的复制的新 Transformer。
             Transformer serializer = tf.newTransformer();
             serializer.setOutputProperty(OutputKeys.ENCODING, "UTF-8"); // 文件编码方式
@@ -161,7 +163,9 @@ public class WordHtml implements AbstractHtml {
             //讲转换后的结果输出到 stm 中即 F:\123.html
             Result result = new StreamResult(stm);
             //根据XSL文件创建准个转换对象
-            Transformer transformer = TransformerFactory.newInstance().newTransformer(template);
+            TransformerFactory transformerFactory = TransformerFactory.newInstance();
+            transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+            Transformer transformer = transformerFactory.newTransformer(template);
             //处理xml进行交换
             transformer.transform(source, result);
         } catch (FileNotFoundException e) {

amos-boot-module/amos-boot-module-biz/amos-boot-module-fas-biz/src/main/java/com/yeejoin/amos/fas/core/util/WordConverterUtils.java

@@ -6,6 +6,7 @@ import org.apache.poi.xwpf.converter.xhtml.XHTMLConverter;
 import org.apache.poi.xwpf.converter.xhtml.XHTMLOptions;
 import org.apache.poi.xwpf.usermodel.XWPFDocument;
 
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.transform.OutputKeys;
 import javax.xml.transform.Transformer;
@@ -104,6 +105,7 @@ public class WordConverterUtils {
 			DOMSource domSource = new DOMSource(htmlDocument);
 			StreamResult streamResult = new StreamResult(targetFile);
 			TransformerFactory tf = TransformerFactory.newInstance();
+			tf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
 			Transformer serializer = tf.newTransformer();
 			serializer.setOutputProperty(OutputKeys.ENCODING, "utf-8");
 			serializer.setOutputProperty(OutputKeys.INDENT, "yes");
@@ -150,6 +152,7 @@ public class WordConverterUtils {
 			StringWriter stringWriter = new StringWriter();
 			StreamResult streamResult = new StreamResult(stringWriter);
 			TransformerFactory tf = TransformerFactory.newInstance();
+			tf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
 			Transformer serializer = tf.newTransformer();
 			serializer.setOutputProperty(OutputKeys.ENCODING, "utf-8");
 			serializer.setOutputProperty(OutputKeys.INDENT, "yes");

amos-boot-module/amos-boot-module-biz/amos-boot-module-fas-biz/src/main/java/org/apache/poi/hwpf/converter/WordToHtmlConverter.java

@@ -29,6 +29,7 @@ import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 import org.w3c.dom.Text;
 
+import javax.xml.XMLConstants;
 import javax.xml.transform.OutputKeys;
 import javax.xml.transform.Transformer;
 import javax.xml.transform.TransformerFactory;
@@ -126,6 +127,7 @@ public class WordToHtmlConverter extends AbstractWordConverter
         StreamResult streamResult = new StreamResult( new File(args[1]) );
 
         TransformerFactory tf = TransformerFactory.newInstance();
+        tf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
         Transformer serializer = tf.newTransformer();
         // TODO set encoding from a command argument
         serializer.setOutputProperty( OutputKeys.ENCODING, "UTF-8" );

amos-boot-module/amos-boot-module-biz/amos-boot-module-latentdanger-biz/src/main/java/com/yeejoin/amos/latentdanger/business/util/WordHtml.java

@@ -15,6 +15,7 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.w3c.dom.Document;
 
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.transform.*;
@@ -118,6 +119,7 @@ public class WordHtml implements AbstractHtml {
       streamResult = new StreamResult(out);
 
       TransformerFactory tf = TransformerFactory.newInstance();
+      tf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
       // 创建执行从 Source 到 Result 的复制的新 Transformer。
       Transformer serializer = tf.newTransformer();
       serializer.setOutputProperty(OutputKeys.ENCODING, "UTF-8"); // 文件编码方式
@@ -208,7 +210,9 @@ public class WordHtml implements AbstractHtml {
           //讲转换后的结果输出到 stm 中即 F:\123.html
           Result result=new StreamResult(stm);
           //根据XSL文件创建准个转换对象
-          Transformer transformer=TransformerFactory.newInstance().newTransformer(template);
+        TransformerFactory transformerFactory = TransformerFactory.newInstance();
+        transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+        Transformer transformer= transformerFactory.newTransformer(template);
           //处理xml进行交换
           transformer.transform(source, result);
       } catch (FileNotFoundException e) {

amos-boot-module/amos-boot-module-biz/amos-boot-module-maintenance-biz/src/main/java/com/yeejoin/amos/maintenance/business/controller/CheckController.java

@@ -40,6 +40,7 @@ import org.typroject.tyboot.core.restful.utils.ResponseHelper;
 import org.typroject.tyboot.core.restful.utils.ResponseModel;
 
 import javax.servlet.http.HttpServletResponse;
+import javax.xml.XMLConstants;
 import javax.xml.transform.*;
 import javax.xml.transform.stream.StreamResult;
 import javax.xml.transform.stream.StreamSource;
@@ -387,7 +388,9 @@ public class CheckController extends AbstractBaseController {
             }
 
             Result result = new StreamResult(html);
-            Transformer transformer = TransformerFactory.newInstance().newTransformer(template);
+            TransformerFactory transformerFactory = TransformerFactory.newInstance();
+            transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+            Transformer transformer = transformerFactory.newTransformer(template);
 
             transformer.transform(source, result);
 

amos-boot-module/amos-boot-module-biz/amos-boot-module-maintenance-biz/src/main/java/com/yeejoin/amos/maintenance/business/controller/TaskController.java

@@ -39,6 +39,7 @@ import org.typroject.tyboot.core.foundation.enumeration.UserType;
 import org.typroject.tyboot.core.restful.doc.TycloudOperation;
 
 import javax.servlet.http.HttpServletResponse;
+import javax.xml.XMLConstants;
 import javax.xml.transform.*;
 import javax.xml.transform.stream.StreamResult;
 import javax.xml.transform.stream.StreamSource;
@@ -194,7 +195,9 @@ public class TaskController extends AbstractBaseController{
 	        }
 
 	        Result result=new StreamResult(html);
-	        Transformer transformer  =TransformerFactory.newInstance().newTransformer(template);
+			 TransformerFactory transformerFactory = TransformerFactory.newInstance();
+			 transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+			 Transformer transformer  = transformerFactory.newTransformer(template);
 			transformer.transform(source, result);
 
 			File htmlFile = new File(html);

amos-boot-module/amos-boot-module-biz/amos-boot-module-maintenance-biz/src/main/java/com/yeejoin/amos/maintenance/business/util/WordHtml.java

@@ -15,6 +15,7 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.w3c.dom.Document;
 
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.transform.*;
@@ -118,6 +119,7 @@ public class WordHtml implements AbstractHtml {
       streamResult = new StreamResult(out);
 
       TransformerFactory tf = TransformerFactory.newInstance();
+      tf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
       // 创建执行从 Source 到 Result 的复制的新 Transformer。
       Transformer serializer = tf.newTransformer();
       serializer.setOutputProperty(OutputKeys.ENCODING, "UTF-8"); // 文件编码方式
@@ -208,7 +210,9 @@ public class WordHtml implements AbstractHtml {
           //讲转换后的结果输出到 stm 中即 F:\123.html
           Result result=new StreamResult(stm);
           //根据XSL文件创建准个转换对象
-          Transformer transformer=TransformerFactory.newInstance().newTransformer(template);
+        TransformerFactory transformerFactory = TransformerFactory.newInstance();
+        transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+        Transformer transformer= transformerFactory.newTransformer(template);
           //处理xml进行交换
           transformer.transform(source, result);
       } catch (FileNotFoundException e) {

amos-boot-module/amos-boot-module-biz/amos-boot-module-patrol-biz/src/main/java/com/yeejoin/amos/patrol/business/controller/CheckController.java

@@ -48,6 +48,7 @@ import org.typroject.tyboot.core.foundation.enumeration.UserType;
 import org.typroject.tyboot.core.restful.doc.TycloudOperation;
 
 import javax.servlet.http.HttpServletResponse;
+import javax.xml.XMLConstants;
 import javax.xml.transform.*;
 import javax.xml.transform.stream.StreamResult;
 import javax.xml.transform.stream.StreamSource;
@@ -869,7 +870,9 @@ public class CheckController extends AbstractBaseController {
             }
 
             Result result = new StreamResult(html);
-            Transformer transformer = TransformerFactory.newInstance().newTransformer(template);
+            TransformerFactory transformerFactory = TransformerFactory.newInstance();
+            transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+            Transformer transformer = transformerFactory.newTransformer(template);
 
             transformer.transform(source, result);
 

amos-boot-module/amos-boot-module-biz/amos-boot-module-patrol-biz/src/main/java/com/yeejoin/amos/patrol/business/controller/TaskController.java

@@ -40,6 +40,7 @@ import org.typroject.tyboot.core.foundation.enumeration.UserType;
 import org.typroject.tyboot.core.restful.doc.TycloudOperation;
 
 import javax.servlet.http.HttpServletResponse;
+import javax.xml.XMLConstants;
 import javax.xml.transform.*;
 import javax.xml.transform.stream.StreamResult;
 import javax.xml.transform.stream.StreamSource;
@@ -195,7 +196,9 @@ public class TaskController extends AbstractBaseController{
 	        }
 
 	        Result result=new StreamResult(html);
-	        Transformer transformer  =TransformerFactory.newInstance().newTransformer(template);
+			 TransformerFactory transformerFactory = TransformerFactory.newInstance();
+			 transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+	        Transformer transformer  = transformerFactory.newTransformer(template);
 			transformer.transform(source, result);
 
 			File htmlFile = new File(html);

amos-boot-module/amos-boot-module-biz/amos-boot-module-patrol-biz/src/main/java/com/yeejoin/amos/patrol/business/util/WordHtml.java

@@ -15,6 +15,7 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.w3c.dom.Document;
 
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.transform.*;
@@ -118,6 +119,7 @@ public class WordHtml implements AbstractHtml {
       streamResult = new StreamResult(out);
 
       TransformerFactory tf = TransformerFactory.newInstance();
+      tf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
       // 创建执行从 Source 到 Result 的复制的新 Transformer。
       Transformer serializer = tf.newTransformer();
       serializer.setOutputProperty(OutputKeys.ENCODING, "UTF-8"); // 文件编码方式
@@ -204,11 +206,13 @@ public class WordHtml implements AbstractHtml {
           fis1 = new FileInputStream(xsltPath);
           Source template=new StreamSource(fis1);
 
-          PrintStream stm=new PrintStream(new File(hrmlPath));
+          PrintStream stm=new PrintStream(hrmlPath);
           //讲转换后的结果输出到 stm 中即 F:\123.html
           Result result=new StreamResult(stm);
           //根据XSL文件创建准个转换对象
-          Transformer transformer=TransformerFactory.newInstance().newTransformer(template);
+        TransformerFactory transformerFactory = TransformerFactory.newInstance();
+        transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+        Transformer transformer= transformerFactory.newTransformer(template);
           //处理xml进行交换
           transformer.transform(source, result);
       } catch (FileNotFoundException e) {

amos-boot-module/amos-boot-module-biz/amos-boot-module-supervision-biz/src/main/java/com/yeejoin/amos/supervision/business/controller/CheckController.java

@@ -46,6 +46,7 @@ import org.typroject.tyboot.core.restful.utils.ResponseHelper;
 import org.typroject.tyboot.core.restful.utils.ResponseModel;
 
 import javax.servlet.http.HttpServletResponse;
+import javax.xml.XMLConstants;
 import javax.xml.transform.*;
 import javax.xml.transform.stream.StreamResult;
 import javax.xml.transform.stream.StreamSource;
@@ -420,7 +421,9 @@ public class CheckController extends AbstractBaseController {
             }
 
             Result result = new StreamResult(html);
-            Transformer transformer = TransformerFactory.newInstance().newTransformer(template);
+            TransformerFactory transformerFactory = TransformerFactory.newInstance();
+            transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+            Transformer transformer = transformerFactory.newTransformer(template);
 
             transformer.transform(source, result);
 

amos-boot-module/amos-boot-module-biz/amos-boot-module-supervision-biz/src/main/java/com/yeejoin/amos/supervision/business/controller/TaskController.java

@@ -39,6 +39,7 @@ import org.typroject.tyboot.core.foundation.enumeration.UserType;
 import org.typroject.tyboot.core.restful.doc.TycloudOperation;
 
 import javax.servlet.http.HttpServletResponse;
+import javax.xml.XMLConstants;
 import javax.xml.transform.*;
 import javax.xml.transform.stream.StreamResult;
 import javax.xml.transform.stream.StreamSource;
@@ -193,8 +194,10 @@ public class TaskController extends AbstractBaseController{
 	        	dirFile.mkdirs();
 	        }
 
-	        Result result=new StreamResult(html);
-	        Transformer transformer  =TransformerFactory.newInstance().newTransformer(template);
+			 Result result = new StreamResult(html);
+			 TransformerFactory transformerFactory = TransformerFactory.newInstance();
+			 transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+			 Transformer transformer = transformerFactory.newTransformer(template);
 			 transformer.transform(source, result);
 
 			File htmlFile = new File(html);

amos-boot-module/amos-boot-module-biz/amos-boot-module-supervision-biz/src/main/java/com/yeejoin/amos/supervision/business/util/WordHtml.java

@@ -15,6 +15,7 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.w3c.dom.Document;
 
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.transform.*;
@@ -118,6 +119,7 @@ public class WordHtml implements AbstractHtml {
       streamResult = new StreamResult(out);
 
       TransformerFactory tf = TransformerFactory.newInstance();
+      tf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
       // 创建执行从 Source 到 Result 的复制的新 Transformer。
       Transformer serializer = tf.newTransformer();
       serializer.setOutputProperty(OutputKeys.ENCODING, "UTF-8"); // 文件编码方式
@@ -208,7 +210,9 @@ public class WordHtml implements AbstractHtml {
           //讲转换后的结果输出到 stm 中即 F:\123.html
           Result result=new StreamResult(stm);
           //根据XSL文件创建准个转换对象
-          Transformer transformer=TransformerFactory.newInstance().newTransformer(template);
+        TransformerFactory transformerFactory = TransformerFactory.newInstance();
+        transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+        Transformer transformer= transformerFactory.newTransformer(template);
           //处理xml进行交换
           transformer.transform(source, result);
       } catch (FileNotFoundException e) {