6 vuotta sitten · 8ec61d1328
--- a/weixin-java-common/src/main/java/me/chanjar/weixin/common/util/crypto/WxCryptUtil.java
+++ b/weixin-java-common/src/main/java/me/chanjar/weixin/common/util/crypto/WxCryptUtil.java
@@ -39,6 +39,7 @@ public class WxCryptUtil {
 
				       try {
			
 
				         final DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
			
 
				         factory.setExpandEntityReferences(false);
			
 
				+        factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
			
 
				         return factory.newDocumentBuilder();
			
 
				       } catch (ParserConfigurationException exc) {
			
 
				         throw new IllegalArgumentException(exc);
			
--- a/weixin-java-common/src/test/java/me/chanjar/weixin/common/util/crypto/WxCryptUtilTest.java
+++ b/weixin-java-common/src/test/java/me/chanjar/weixin/common/util/crypto/WxCryptUtilTest.java
@@ -40,6 +40,7 @@ public class WxCryptUtilTest {
 
				 
			
 
				     DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
			
 
				     documentBuilderFactory.setExpandEntityReferences(false);
			
 
				+    documentBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
			
 
				     DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder();
			
 
				     Document document = documentBuilder.parse(new InputSource(new StringReader(encryptedXml)));
			
 
				 
			
@@ -83,6 +84,8 @@ public class WxCryptUtilTest {
 
				       String afterEncrpt = pc.encrypt(this.replyMsg);
			
 
				       DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
			
 
				       dbf.setExpandEntityReferences(false);
			
 
				+      dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
			
 
				+
			
 
				       DocumentBuilder db = dbf.newDocumentBuilder();
			
 
				       StringReader sr = new StringReader(afterEncrpt);
			
 
				       InputSource is = new InputSource(sr);
			
--- a/weixin-java-pay/src/main/java/com/github/binarywang/wxpay/bean/result/BaseWxPayResult.java
+++ b/weixin-java-pay/src/main/java/com/github/binarywang/wxpay/bean/result/BaseWxPayResult.java
@@ -189,6 +189,7 @@ public abstract class BaseWxPayResult implements Serializable {
 
				     try {
			
 
				       final DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
			
 
				       factory.setExpandEntityReferences(false);
			
 
				+      factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
			
 
				       this.xmlDoc = factory.newDocumentBuilder()
			
 
				         .parse(new ByteArrayInputStream(this.xmlString.getBytes(StandardCharsets.UTF_8)));
			
 
				       return xmlDoc;
			
--- a/weixin-java-pay/src/test/java/com/github/binarywang/wxpay/bean/result/BaseWxPayResultTest.java
+++ b/weixin-java-pay/src/test/java/com/github/binarywang/wxpay/bean/result/BaseWxPayResultTest.java
@@ -75,7 +75,9 @@ public class BaseWxPayResultTest {
 
				   @Test(expectedExceptions = {RuntimeException.class})
			
 
				   public void testToMap_with_empty_xmlString() {
			
 
				     WxPayOrderQueryResult result = new WxPayOrderQueryResult();
			
 
				-    result.setXmlString(" ");
			
 
				+    result.setXmlString( "<?xml version=\"1.0\" ?><!DOCTYPE doc " +
			
 
				+      "[<!ENTITY win SYSTEM \"file:///C:/Users/user/Documents/testdata2.txt\">]" +
			
 
				+      "><doc>&win;</doc>");
			
 
				     Map<String, String> map = result.toMap();
			
 
				     System.out.println(map);
			
 
				   }