0

My question is regarding the XML Parser of google: com.google.gwt.xml.client.XMLParser. Can it be configured to disallow external doctype or doctype at all?

As i understand SAXParser has that option with setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)

Is there such a thing in gwt parser? where can i find the API? Any help would be appreciated?

thanks, Tal

Answer:
GWT is translating java code to javscript, so code finally executes on client side. GWT relies on the browser to parse the XML. Seeking in web, javadocs doesn't seem to have this functionality and this parser is a very simple DOM tool, with no SAX , no external DTD and no XPath ,and so will not have external entities issues.

Tal
  • 1,773
  • 4
  • 18
  • 20
  • I found JavaDoc here: http://google-web-toolkit.googlecode.com/svn/javadoc/1.5/com/google/gwt/xml/client/XMLParser.html, which does not seem to have the functionality you are after. Perhaps a custom check to verify the existence of a doctype after parsing would suffice? – erikxiv May 16 '12 at 13:30
  • From security perspective, perhaps that would be too late, since if parsing already happened, external site containing hacking may already accessed. – Tal May 16 '12 at 13:40

1 Answers1

0

GWT is translating java code to javscript, so code finally executes on client side. GWT relies on the browser to parse the XML. Seeking in web, javadocs doesn't seem to have this functionality and this parser is a very simple DOM tool, with no SAX , no external DTD and no XPath ,and so will not have external entities issues.

Tal
  • 1,773
  • 4
  • 18
  • 20