fix: XSLT Injection(XSLT注入)

Links https://docs.qq.com/sheet/DTkRSaWhSZXBlaldN?tab=000008&_t=1711087563249 (No.23)

fix: XSLT Injection(XSLT注入)
719f672a · 李秀明 · 6d26e415 · 719f672a
Commit 719f672a authored Mar 25, 2024 by 李秀明
Show whitespace changes
Inline Side-by-side

Showing with 3 additions and 0 deletions

WordConverterUtils.java ...va/com/yeejoin/amos/fas/core/util/WordConverterUtils.java +3 -0

No files found.
--- a/YeeAmosFireAutoSysService/src/main/java/com/yeejoin/amos/fas/core/util/WordConverterUtils.java
+++ b/YeeAmosFireAutoSysService/src/main/java/com/yeejoin/amos/fas/core/util/WordConverterUtils.java
@@ -6,6 +6,7 @@ import org.apache.poi.xwpf.converter.xhtml.XHTMLConverter;
 import org.apache.poi.xwpf.converter.xhtml.XHTMLOptions;
 import org.apache.poi.xwpf.usermodel.XWPFDocument;

+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.transform.OutputKeys;
 import javax.xml.transform.Transformer;
@@ -104,6 +105,7 @@ public class WordConverterUtils {
 			DOMSource domSource = new DOMSource(htmlDocument);
 			StreamResult streamResult = new StreamResult(targetFile);
 			TransformerFactory tf = TransformerFactory.newInstance();
+			tf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
 			Transformer serializer = tf.newTransformer();
 			serializer.setOutputProperty(OutputKeys.ENCODING, "utf-8");
 			serializer.setOutputProperty(OutputKeys.INDENT, "yes");
@@ -150,6 +152,7 @@ public class WordConverterUtils {
 			StringWriter stringWriter = new StringWriter();
 			StreamResult streamResult = new StreamResult(stringWriter);
 			TransformerFactory tf = TransformerFactory.newInstance();
+			tf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
 			Transformer serializer = tf.newTransformer();
 			serializer.setOutputProperty(OutputKeys.ENCODING, "utf-8");
 			serializer.setOutputProperty(OutputKeys.INDENT, "yes");