|
|
@@ -16,7 +16,7 @@ import org.jdom.input.SAXBuilder;
|
|
|
|
|
|
public class GetWxOrderno {
|
|
|
|
|
|
- private static final Logger log = Logger.getLogger(GetWxOrderno.class);
|
|
|
+ private static final Logger log = Logger.getLogger(GetWxOrderno.class);
|
|
|
/**
|
|
|
* description:获取预支付id
|
|
|
*/
|
|
|
@@ -41,7 +41,7 @@ public class GetWxOrderno {
|
|
|
|
|
|
/**
|
|
|
* description:获取扫码支付连接
|
|
|
- *
|
|
|
+ *
|
|
|
* @param url
|
|
|
* @param xmlParam
|
|
|
* @return
|
|
|
@@ -66,7 +66,7 @@ public class GetWxOrderno {
|
|
|
|
|
|
/**
|
|
|
* 解析xml,返回第一级元素键值对。
|
|
|
- *
|
|
|
+ *
|
|
|
* @param strxml
|
|
|
* @return
|
|
|
* @throws JDOMException
|
|
|
@@ -81,6 +81,13 @@ public class GetWxOrderno {
|
|
|
Map<String, String> m = new HashMap<String, String>();
|
|
|
InputStream in = string2Inputstream(strxml);
|
|
|
SAXBuilder builder = new SAXBuilder();
|
|
|
+
|
|
|
+ // 防止XXE
|
|
|
+ builder.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
|
|
+ builder.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
|
|
+ builder.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
|
|
+ builder.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
|
|
|
+
|
|
|
Document doc = builder.build(in);
|
|
|
Element root = doc.getRootElement();
|
|
|
List<Element> list = root.getChildren();
|
|
|
@@ -107,7 +114,7 @@ public class GetWxOrderno {
|
|
|
|
|
|
/**
|
|
|
* 获取子结点的xml
|
|
|
- *
|
|
|
+ *
|
|
|
* @param children
|
|
|
* @return String
|
|
|
*/
|
|
|
@@ -137,4 +144,4 @@ public class GetWxOrderno {
|
|
|
return new ByteArrayInputStream(str.getBytes());
|
|
|
}
|
|
|
|
|
|
-}
|
|
|
+}
|
