Set OPTION_USE_PACKAGE_NS_URI_AS_LOCATION to false

- See #946
archimatetool · Jul 14, 2023 · bcab676 · bcab676
1 parent ad679a4
commit bcab676
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/com.archimatetool.model/src/com/archimatetool/model/util/ArchimateResourceFactory.java b/com.archimatetool.model/src/com/archimatetool/model/util/ArchimateResourceFactory.java
@@ -94,6 +94,8 @@ public Resource createResource(URI uri) {
         resource.getDefaultLoadOptions().put(XMLResource.OPTION_DEFER_IDREF_RESOLUTION, Boolean.TRUE);
         resource.setIntrinsicIDToEObjectMap(new HashMap<String, EObject>());
 
+        // Don't allow loading an unregistered URI in case of exploits
+        resource.getDefaultLoadOptions().put(XMLResource.OPTION_USE_PACKAGE_NS_URI_AS_LOCATION, false);
 
         Map<String, Object> parserFeatures = new HashMap<String, Object>();
         // Don't allow DTD loading in case of XSS exploits